Securing content behind login page

**vtdev2013** · 02-17-2013 08:54 AM

I am the webmaster/designer (no cms) of www.champlainvalleyhog.com.

We have a login page for content which is not supposed to be accessible from
anyone other than members, but, if you know the physical file path of the documents
in question, you can still get to them such as:

http://www.champlainvalleyhog.com/secure/login.php (login page)

http://www.champlainvalleyhog.com/se...13/2013-01.doc (path that you should not be able to get to without logging in)

Thanks in advance!

**russelvasquez** · 02-17-2013 06:10 PM

Hi there,
I think the best solution was to create one page with link and then embed a script that will redirect to login.
like this <?php
if (isset($_POST['field'])){
'allowed
}
else {
header ('location: login.php');
}
?>

I hope it will help you.

**vtdev2013** · 03-02-2013 08:58 PM

Maybe I did not specify clearly.

I already have:

<?PHP
require_once("./include/membersite_config.php");

if(isset($_POST['submitted']))
{
if($fgmembersite->Login())
{
$fgmembersite->RedirectToURL("login-home.php");
}
}

?>

.....which prevents unauthorized access to my php files.

I need to prevent access to all files below wwwroot/secure/membersonly which are pdf, doc, xls, etc.

Thanks again!

**NogDog** · 03-02-2013 09:29 PM

You need to create a file-server script, and put the actual files outside of the docroot (or in a directory tree where you prohibit access via the web server settings). Then you put your access control within the file server script, so it won't serve anything up if access is not granted.

**vtdev2013** · 03-02-2013 10:26 PM

While searching for a wide range of options, I found this.........which works

Still trying to figure out how.

AuthUserFile /dev/null
AuthGroupFile /dev/null

RewriteEngine On

RewriteCond %{HTTP_REFERER} !^http://www.champlainvalleyhog.com.* [NC]
RewriteCond %{HTTP_REFERER} !^http://.champlainvalleyhog.com/secure.* [NC]
RewriteCond %{HTTP_REFERER} !^http://champlainvalleyhog.com.* [NC]
RewriteCond %{HTTP_REFERER} !^http://www.champlainvalleyhog.com/secure.* [NC]

RewriteRule /* http://www.champlainvalleyhog.com/index.php [R,L]

**NogDog** · 03-03-2013 12:15 PM

I suspect that can be defeated by anyone who knows how to set the HTTP_REFERER header (such as any PHP developer using the cURL functions

).

**AK223** · 03-07-2013 06:10 PM

If you're looking for some help with securing information in mobile development, I believe there are some solid resources here to assist you. I know I've had plenty of worries about securing user information especially in our new mobile era which is prone to information theft. http://www.verious.com/board/Giancar...y-and-privacy/

**kerrylinux** · 03-09-2013 06:36 AM

Your members have to get some secret information after logging in that distinguishes them from ordinary users of your website. Put your members-only stuff outside the web server tree and check if a user can present the secret information when he tries to access a members-only file name. Change the secret information with every login attempt.

Thread: Securing content behind login page

Thread Tools

Display

Securing content behind login page

Thread Information

Users Browsing this Thread

Bookmarks

Bookmarks

Posting Permissions