I have a login page and a member page.
login.php page in website root:
include(ROOT_PATH.'server.php') ;//outside of web root
... login form:
<form method="post" action="login.php">
<div class="input-group">
<label>username </label>
<input type="text" name="username">
</div>
<div class="input-group">
<label>Password</label>
<input type="password" name="password" autocomplete="new-password">
</div>
<div class="input-group">
<button type="submit" class="btn" name="login_user">Login</button>
</div>
</form>
server.php
// LOGIN USER
if (isset($_POST['login_user'])) {
$username = $_POST['username'];
$pass = $_POST['password'];
//sanitize, check with database
//if password valid, redirect to member page
$_SESSION['username'] = $username;
$_SESSION['user_id'] = $user_id;
header('location:'.BASE_URL.'member.php');
exit;
}
My questions:
I wanted to place member.php outside of web root but I dont know if header('location..
can access as such?
If member.php has to be in web root, how can I protect access to this page more that curently is?
member.php
session_start();
if (!isset($_SESSION['username']) && !isset($_SESSION['user_id'])) {
header('location:login.php');
exit;
}
... rest of the code
I wanted to place member.php outside of web root
If you place the file member.php outside the web root, then nobody will be able to access the URL /member.php, even if they are authenticated.
but I dont know if header('location.. can access as such?
Location headers point to URLs, not to files. So, if the URL you're trying to redirect to is not reachable by anybody (because you moved its associated file outside the web root), then the redirect will always bring everybody to a 404.
If member.php has to be in web root, how can I protect access to this page more that curently is?
Redirecting back to the login page when there's no session (like you're already doing) is generally how this situation is handled and should be sufficient for simple purposes. The main downside to this method is that you have to be vigilant and remember to explicitly put this check in every single source file in your web root.
Beyond that, you might explore the front controller pattern, which most MVC frameworks provide. This funnels all application access through one single control point, and would allow you to put the source files for your business logic, configuration, and templating outside the web root.
Related
I have a php file admin_trace.php in which I have integrated everything (config, session inactivity, login/logout, username/password verification and JS codes).
The php file admin_trace.php belongs to the following url http://example.com/admin_trace.php (let us suppose)
In the php file admin_trace.php, I have
a. database configuration code
b. session inactivity code (which forces logout of the page when there is no activity)
c. login/logout code
d. username/password verification code
e. if user is not logged in then it it will display the login page.
// Is user logged in?
<?php
if(!isset($_SESSION['pageadmin'])){ ?>
<form action="/admin_trace.php" method="post">
<div style='width:350px;'>
<fieldset>
<legend>Login</legend>
<div>
<label for="user_name">User Name</label>
<input type="text" name="user_name">
</div>
<div>
<label for="user_pass">Password</label>
<input type="password" name="user_pass">
</div>
<div>
<button type="submit">Login</button>
</div>
</fieldset>
</div>
</form>
<?PHP } else { ?>
f. JS code at the bottom
The issue which I am having right now that all my codes are in one file admin_trace.php which is making things difficult and making some part of the code (like JS) not working
Problem Statement:
I am wondering what would be the best way to architect any login form page that has config code, session inactivity code, login/logout code, username/password verification code and JS code. When I say architect I meant to say the relative locations of the files w.r.t. to admin_trace.php where config code, session inactivity code, login/logout code, username/password code etc will be placed.
PHP has the ability to split code into multiple files. You can bring this code in conditionally with if statements via the include and require statements (and corresponding include_once and require_once.
I don't know how to go about this, but I'd like my users to use m.site_url.com for the mobile version of the site. I have a CMS, and the mobile version of my main site is outside CMS folders. Once the user opens this URL, they are asked to login. The login has a following redirection upon form submit
<input type="hidden" name="mobileVersion" value="True">
<input type="hidden" name="redir" value="../mobile/crew_center.php" />
<input type="hidden" name="action" value="login" />
<input class="login-btn" type="submit" name="submit" value="Log In" />
/mobile is the folder for the m directory in the URL. When the user opens m.site_url.com (site_url.com as an example) the following if/else is ran in the index.php of this URL.
<?php include_once'/home/flyeurov/public_html/core/codon.config.php'; // This includes functions of a CMS for instance Auth::LoggedIn
if(Auth::LoggedIn())
{
header("Location: crew_center.php");
}
else
{
header("Location: login.php");
}
?>
The above code works for the direct path, for example when the user is logged in, entering site_url.com/mobile will open crew_center.php page. However, when the user types in m.site_url.com it will always display login.php regardless of whether the user is logged in or not.
How can I get this statement to work on m.site_url.com subdomain?
There are several ways you can try to get your Sessions work cross subdomain:
session_set_cookie_params(0, '/', '.your_url.com');
session_start();
is one of them.
or try this: Sharing session data across domains with PHP
I am doing a small application in core php.Here my database for login is something like this
id
firstname
lastname
email
userid
account_type
contactno
password
in login file the code is something like this
<?php
include_once("include/connection.php");
session_start();
session_unset();
?>
<?php
$msg="";
if(isset($_REQUEST['sub'])){
$pswd=sha1($_REQUEST['psd']);
$sel=mysql_query("select * from login where userid='".$_REQUEST['uid']."' and password='".$pswd."'");
$rowsel=mysql_num_rows($sel);
if($rowsel==1){
$selacc=mysql_fetch_array($sel);
if($selacc['status']!='banned'){
$_SESSION['uid']=$selacc['userid'];
$_SESSION['uname']=$selacc['fname']." ".$selacc['lname'];
$_SESSION['upassword']=$selacc['password'];
$_SESSION['acctype']=$selacc['acctype'];
$_SESSION['agentcode']=$selacc['agent_code'];
$_SESSION['authentication']="authenticated";
header("location:dashboard.php");
}
}
else{
$msg="Enter Valid Username Password";
}
}
?>
<body>
<form name="login-form" method="post" action="#">
<input type="text" name="uid" class="inputbox" />
<input type="password" name="psd" class="inputbox" />
<input type="submit" name="sub" value="" class="inputbotton" />
</form>
Now after the login the user is directed is dashboard. But from here when I am typing directly ``one page name(lets say posts.php) it is redirected to the post.php file. But here I want one denied access that when someone will direct enter the page name in the url(like post.php) it should show some error. But when the page is normal redirect then it should show the page.I want to prevent the direct page access in the address bar but when the page is normal redirected it should show the page.
Just check the any session variable set in previous page for example
if(!isset($_SESSION['uid'])){
echo 'error';
exit;
}
do it on the top
There are 2 factors in it.
1) your folders and files permissions on server.
2) When you login first time, it should show you login page. But when you do the same thing again. The variable stores in session until you close your browser. So, Close the browser and try again. You need to check if session id is set or not, and make decision according to that.
(I know this is probably a simple question to answer, but I don't know how to do it. Sorry if this has been asked before.)
What I want. I want a list of links to filse that are located on the server. The files are documents (pdf files). I understand how to use PHP to restrict access to the list of links, but one could just enter the direct link to the files in the browser and download the files. So I want to have the PHP file password protected (the list of links) and have people only enter the password once.
What I have. So far I have documents.php (found on the internet):
<?php
$username = "name";
$password = "5f4dcc3b5aa765d61d8327deb882cf99";
if ($_POST['txtUsername'] != $username || md5($_POST['txtPassword']) != $password) {
?>
<h1>Login</h1>
<form name="form" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
<p><label for="txtUsername">Username:</label>
<br /><input type="text" title="Enter your Username" name="txtUsername" /></p>
<p><label for="txtpassword">Password:</label>
<br /><input type="password" title="Enter your password" name="txtPassword" /></p>
<p><input type="submit" name="Submit" value="Login" /></p>
</form>
<?php
}
else {
?>
<p>Link to documents</p>
<p>file.pdf</p>
<?php
}
?>
But with this a person could just access the file from the browser with the direct link: http://example.com/folder/file.pdf.
How do I prevent a this?
(I am comfortable with PHP and javascript and basic HTML)
Thanks,
Thomas
Mediate access to the files through php
Put the documents outside your webroot and keep a named array of the paths to them in your php file. When the client asks for a file by name (after you've authenticated them), look the file's path up in the array, and read the file from the filesystem, then output its contents back to them.
This is what readfile is designed for.
Similar to quasistoic's answer - except use your web server (eg. Apache or nginx) to provide a protected/internal URL for the PDF files (so not just a static URL within your webroot), and then use the X-Sendfile (or if on nginx the X-Accel-Redirect) header to send the file without having to stream the file through PHP.
If someone knows my url of the admin page such as www.example.com/admin.php, then they will easily access the page by directly accesing that url. How to restrict this. Please help
You should never make the admin section public. You can't rely on obscurity for this, authorisation is the way to go. You can do this by using .htacces, as described here, or by relying on PHP. A crude example follows below.
Below is a simple login implementation. If the password is correct it will allow the user to go to admin.php. You should read the PHP manual on sessions though, because the session header should be present on every page behind the login page. The password handling could be handled more secure as well.
<?php
session_name('MyAdminSession');
session_start();
if (isset($_POST['userid']) && isset($_POST['password'])) {
$userid = $_POST['userid'];
$password = md5($_POST['password']);
if ($userid == 'myusername' && $password == md5('mypassword')) {
$_SESSION['logged_in'] = true;
header('location: admin.php');
exit;
}
}
?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="nl">
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>My login page</title>
</head>
<body>
<form action="index.php" method="post">
<label for="userid">Username: </label><br />
<input name="userid" type="text" id="userid" /><br />
<label for="password">Password: </label><br />
<input name="password" type="password" id="password" /><br />
<p><input type="submit" name="submit" class="button" value="Log In" /></p>
</form>
</body>
</html>
Require Authentication. (and Authorization - as commented below !)
10x #Just Somebody !
if you use apache web server you can restrict access using .htaccess
p.s. Take a look here: htaccess tutorial
I will try to put a few of these answers together for you, depending on how your website is setup.
If it is a simpler website and you don't do any user handling or admin authentication, your main option is to do as igorp said and restrict based on the .htaccess file.
You will get a popup asking for a predefined username and password, and only then will you have access to that particular page.
Again, this is good for a simpler website.
If it is more complex and you allow user logins to your site, you can setup access rights to various pages, based on the users access level.
For instance, in your administrative page(s), you would check the user's access level to see if he/she should be allowed to access the page. If he doesn't, redirect to an access denied type page. Otherwise, let them in.
With both of these methods, a user can browse directly to your administration pages and be required to go through some sort of validation. Either way, your admin pages will be protected.
You can block all IP to go in admin panel except your admins IPs
Write something like this:
order allow,deny
deny from all
allow from {your IP}
allow from {your other admin's IP}
This should be work
If you have cPanel (or a similar control panel) access, you can easily create password protected directories as well. This method uses htpasswd and htaccess files. If you set it up this way, anyone trying to access the protected directory will have to enter a user/pass. The only down side to it is that your admin files need to be in a directory of their own.
If I ever need quick authentication I use HTTP authentication which is pretty simple assuming you're on an Apache webserver:
$USERS = array( 'foo' => 'bar' );
$user = (isset($_SERVER['PHP_AUTH_USER'])) ? $_SERVER['PHP_AUTH_USER'] : '';
$pass = (isset($_SERVER['PHP_AUTH_PW'])) ? $_SERVER['PHP_AUTH_PW'] : '';
if( !$user || !isset($USERS[$user]) || $USERS[$user] != $pass ) {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
print '<h1>Error</h1>Authentication failed!';
exit;
}
// if we made it this far the user logged in successfully!