dcsimg
www.webdeveloper.com
Results 1 to 8 of 8

Thread: Securing content behind login page

Hybrid View

  1. #1
    Join Date
    Feb 2013
    Location
    Northern Vermont
    Posts
    6

    Securing content behind login page

    I am the webmaster/designer (no cms) of www.champlainvalleyhog.com.

    We have a login page for content which is not supposed to be accessible from
    anyone other than members, but, if you know the physical file path of the documents
    in question, you can still get to them such as:

    http://www.champlainvalleyhog.com/secure/login.php (login page)

    http://www.champlainvalleyhog.com/se...13/2013-01.doc (path that you should not be able to get to without logging in)


    Thanks in advance!

  2. #2
    Join Date
    Feb 2013
    Location
    Philippines
    Posts
    3
    Hi there,
    I think the best solution was to create one page with link and then embed a script that will redirect to login.
    like this <?php
    if (isset($_POST['field'])){
    'allowed
    }
    else {
    header ('location: login.php');
    }
    ?>

    I hope it will help you.

  3. #3
    Join Date
    Feb 2013
    Location
    Northern Vermont
    Posts
    6
    Maybe I did not specify clearly.

    I already have:

    <?PHP
    require_once("./include/membersite_config.php");

    if(isset($_POST['submitted']))
    {
    if($fgmembersite->Login())
    {
    $fgmembersite->RedirectToURL("login-home.php");
    }
    }

    ?>

    .....which prevents unauthorized access to my php files.

    I need to prevent access to all files below wwwroot/secure/membersonly which are pdf, doc, xls, etc.


    Thanks again!

  4. #4
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,614
    You need to create a file-server script, and put the actual files outside of the docroot (or in a directory tree where you prohibit access via the web server settings). Then you put your access control within the file server script, so it won't serve anything up if access is not granted.
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

  5. #5
    Join Date
    Feb 2013
    Location
    Northern Vermont
    Posts
    6
    While searching for a wide range of options, I found this.........which works

    Still trying to figure out how.


    AuthUserFile /dev/null
    AuthGroupFile /dev/null

    RewriteEngine On

    RewriteCond %{HTTP_REFERER} !^http://www.champlainvalleyhog.com.* [NC]
    RewriteCond %{HTTP_REFERER} !^http://.champlainvalleyhog.com/secure.* [NC]
    RewriteCond %{HTTP_REFERER} !^http://champlainvalleyhog.com.* [NC]
    RewriteCond %{HTTP_REFERER} !^http://www.champlainvalleyhog.com/secure.* [NC]

    RewriteRule /* http://www.champlainvalleyhog.com/index.php [R,L]

  6. #6
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,614
    I suspect that can be defeated by anyone who knows how to set the HTTP_REFERER header (such as any PHP developer using the cURL functions ).
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

  7. #7
    Join Date
    Mar 2013
    Posts
    3
    If you're looking for some help with securing information in mobile development, I believe there are some solid resources here to assist you. I know I've had plenty of worries about securing user information especially in our new mobile era which is prone to information theft. http://www.verious.com/board/Giancar...y-and-privacy/

  8. #8
    Join Date
    Nov 2011
    Location
    Valentia Island, Ireland
    Posts
    1
    Your members have to get some secret information after logging in that distinguishes them from ordinary users of your website. Put your members-only stuff outside the web server tree and check if a user can present the secret information when he tries to access a members-only file name. Change the secret information with every login attempt.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles