I searched for the answer for my question but I couldn't find exactly what I wanted.
If you find a duplicate of this please send me it!
I have a couple of files in my website that are used to do background functions that I don't want anyone to access them- not even the admin. for example files like PHPMailer.php, login-inc.php logout-inc.php and more.
I need a way to prevent anyone from accessing those pages and not prevent them from working when triggered by buttons/forms.
I'm aware that using a session can redirect not logged users, although, here, I need to prevent everyone from accessing the pages by redirecting them or sending them to a 404 page.
what do I need to use to do that?
thanks!
Update: I'm very new to web coding so sorry for the confusing question, I wanted to block users from entering some pages by entering their location with a link for example I don't want users to be able to access tokens/passwords...
Using .htaccess solves my problem. thank you.
One way to protect your files to be called by web server is to move them out of site webroot directory. That way there is no way that someone access the with web browser and you still can include them. It's common solution.
Other way is to intercept web server requests and i.e. forbid some of them, redirect some others and so on. I.e for Apache web server you can do that inside .htaccess file. You have to allow that in website settings.
For your specific case, with those buttons:
You'll have to use .htaccess (or equivalent) to intercept all requests to those files. Then redirect those request to some php script, with also saving passed parameters.
Then your PHP script should decide what to do with that request...reject it (redirect to 404 page) or allow access.
For that your buttons, should pass some kind of pass code. So your PHP script can check, when it's called if valid pass code is provided (allow access) or not (redirect to 404).
Now making that pass code that can't be manipulated could be tricky, but generally you must invent some formula to generate them (based i.e. on current time) so PHP script could you the same formula to check it's validity.
Other way is to i.e. to do some JS action when button is pressed (i..e write some cookie) and PHP script will check for that JS action result (cookie exists or not).
Related
Is possible to use .httaccess to some place on the server via html form?
Suppose we can use php, html, javascript, .httaccess
I will explain it.
For example I will have www.myserver.com/administration/
In folder administration will be some filestructure for administrator and only authorized users shoul be able to access it.
One option is use simple .htaccess rule and you will need to access thought that ugly grey popup which consist of login and password.
Second option is use standard session notification in php - form in html send it via post, proccess it in php script, if you have right login and pass, create session and then check session on each page you need login for.
Third option - why don't mix it a bit. I don't know if its possible so this is my question:
Let's have same html form we would use for login via php with sessions, we will send it by post method somehow to athentication mechanism which is behind the htaccess authentification, than if it pass redirect to admin folder www.myserver.com/administration/
suppose that login form is on www.myserver.com/login.php
additional demands:
1)if I'm not logged in - redirect to loggin.php or better show some error page with message
so send to the error page some information via post for example set $_POST["message"] = "not logged"
2)be able to loggout - so assign logout action to some button html link ...
3)if its possible to folder is it possible set it only for specific filles on server or for some filestructure I'll define? for example login rule will be necessary for this 2 folders(all pages in it) and this 3 php pages which are somewhere else for exaple in third folder which will have protected only that 3 files and other will be accessible for everyone.
4)if this option is even possible is possible have more than one group of users?
I suppose that htaccess authentification works just like you can pass and you can't pass.
Hope somebody find the time to read this and answer it. My question is if its even possible do it this way I described.
.htaccess is just a way of configuring Apache.
One option is use simple .htaccess rule and you will need to access thought that ugly grey popup which consist of login and password.
There are various standard authentication mechanisms built into HTTP that Apache supports and which you can configure through a .htaccess file.
Let's have same html form we would use for login via php with sessions, we will send it by post method somehow to athentication mechanism which is behind the htaccess authentification,
You can write an Apache module that uses a form to handle the initial login process. This would typically be done with Perl or C. An example of one is Apache::AuthCookie.
You can then use .htaccess to configure Apache to use the module for various URLs on your site.
I have hosted a site, the documents suggest to put files under folder public_html.
I have three files index.php(view page), common.js, and result.php(php) in root folder. On clicking a button in index.php(view) file will trigger an ajax function to result.php.
The problem is everyone can access the result.php directly...
I trying to make folder structure, that all php files(result.php) are in folder behind root. So it will not accessed directly from browser using rewrite rule or anything else.
Please help me to solve this issue...
To make a file only acccessible via ajax you can use:
public static function isAjax() {
return (isset($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_X_REQUESTED_WITH']=="XMLHttpRequest");
}
It returns true or false. Basically if it returns true then let the user carry on otherwise stop them.
Word of caution: Not all JS libraries/frameworks actually set this header but most do (JQuery, Mootools etc) and not all versions so make sure you have the latest version of a library/framework before you use this.
Plus if the user spoofs your headers then there is no real way to stop them.
I tend to use this as a precursor for stopping AJAX pages from being visible publicly. I also use parameter integrity checking and a random hash stored in session (CSRF type thing) to check if the user is legitamately accessing an AJAX page.
You can't protect it by moving it around, because there is no way to distinguish if a request to result.php was triggered by a legitimate AJAX call from index.php except for a session (or some other type of token).
You need to use a php session (or something equivalent) to:
Store what the use has access to (in index.php).
Check if he has access to it in (result.php)
You can't make a file accessible via ajax and then not accessible via the correct browser requests, as the Ajax call is doing the same behaviour a web-browser could.
I recently got Pair Networks to migrate my app to a new pair server. Since then I noticed the following:
Some users with extra permission are no longer able to access those areas they should normally have permission for. They get redirected to the login page which also serves as the Access Denied page.
Some pages with forms now redirect users to login.php on submit of the form. Form data are submitted to the db as expected though.
I have checked the db and the users are configured correctly. Also, user do not lose session when this happens, as they can click Back and navigate to a different area. I have also had a look at the log files but unable to gather much apart from the HTTP 302 code appearing a number or times to login.php probably describing the redirect to the login page.
Can anyone please suggest what could be responsible for this? Could it be a configuration problem and how can I deal with that? Could it be a conflict in those two servers I don't suppose it's pair's server, as I haven't really encountered similar problems in the past.
Any directions will be very much appreciated.
Seams like you are using PHP sessions out of the box, PHP is probably storing temp cookies on a folder that gets cleaned way to often.
If this is the case there is a security risk as the folder is server-shared and your services can be compromised.
A simple way to fix this is to change your session_save_path that can be done in the following fashion:
<?php
session_save_path('/home/example.com/sessions'); // where this a personal directory
ini_set('session.gc_probability', 1);
?>
i've a jquery script which post/get data to .php script. but i wanna prevent direct access to the php script. for example if the user look at the html source code,they will be able to access the php script directly by copying the url from the js file and i dont want that. how do i prevent users from doing that?? i want the user to use it via the html UI. i've google but found no link on this. however, i did notice that some popular websites are able to do that. how should i go about doing this??
It seems like a simple redirect is what you're looking for here.
Add something like this to the top of your php file. This will prevent the page from being accessed if the proper post has not been made. Of course you'll have to change the post and redirect to content more relevant to your project.
if (!isset($_POST['data'])) {
header('Location: your-redirect-location');
}
You may also be able to redirect based on the $_SERVER['HTTP_REFERER'] variable.
EDIT: I was going to explain this in a comment but it's too long. I should note that this is a simple solution. It will keep people from accidentally accessing your script. It's really difficult to create a 100% secure solution for your issue, and if somebody really wants to access it, they will be able to. If you don't have anything secure in the script in question, this will be fine. Otherwise, you'll have to look for an alternative.
Here is one solution:
<?php
if(isset($_POST["post_var]))
{
//to the code you want to do when the post is made
}
else
{
//do what you want to do when the user views the post page
}
?>
how do i prevent users from doing that?
You can't - all you can do is mitigate the risk people can fiddle with your script. Making sure you have the right HTTP_REFERER and/or POST data are both useful in that regard: a "malicious" user would need more than pointing her browser to the URL.
More techniques can be used here:
using session variables: you might not want users that are not logged in - if applicable - to use the URL.
using a one-time challenge (token): you can place a value in the HTML page and have the JS code send this value along with the POST request. You store this value in the session when it is generated. Checking the POSTed token against the session token guarantees the user has at least "seen" the HTML page before submitting data - this can also be useful to prevent duplicate submissions.
However, remember that anything a browser can do, people can do it as well. All these techniques can prevent the curious from doing harm, but not the malicious.
All you can do is making sure nobody can really harm you, and in this regard, your Ajax URL is no different than any other URL of your site: if it's publicly reachable, it has to be secured using whatever technique you already use elsewhere - sessions, user rights, etc.
After all, why should you care that users use this URL not using a browser ? You might want to think of it in terms of an API call that, incidentally, your page happens to use.
Your problem is similar to and has the same problems as a cross site request forgery.
To reduce your risk, you can check the request method, check the referrer, and check the origin if set. The best way is to have a secret token that was generated on the server that the client transmits back in every request. Since you're dealing with friendly users who have access to your live code, they may be able to debug the script and find the value, but it would only be for one session and would be a real hassle.
I'm currently developing a site which runs standalone and as a facebook app on an iframe
I was wondering what whold be "best practice" for checking if my page is ran in a facebook iframe before the page loads so I can preset the relevant CSS and other variables
Thanks.
$signed_request = $_POST['signed_request'];
if(empty($signed_request))
die('No direct access.');
There are a couple of ways to approach this. If you're not concerned about security (i.e. you really only want to know how to format the page rather than deciding what content to show) then your best bet may be to use a distinct url for Facebook access. For example if your standalone site is www.mysite.com you can configure fb.mysite.com or www.mysite.com/fb to point to the same place, then use the alternate version in your app settings. Your server code can then easily check which url version is being accessed and act accordingly. Of course you have to take some care with your links to make sure they maintain the correct prefix.
Another way is to use signed_request as discussed, setting a cookie (or session) when it is present to indicate a Facebook access. The trick there is to also include a bit of javascript code at the top of each page that checks to make sure the page is within an iframe. If not, then the code immediately redirects back to the current page with a parameter added like "?clearfb=1" which will tell the server to clear the cookie/session and output the page in external format.
checking to see if a signed_request is present would also be a good test...
Here is some php code to test if the current page is running inside a facebook iframe :
if( strpos( $_SERVER[ 'HTTP_REFERER' ], "apps.facebook.com" ) !== false ){
// Page is running in Facebook iframe
}
The only real check for this can be done on client-side by comparing window.top==window if it's true Application is run outside of an iframe.
There is no server side check that can ensure this since browsers not passing information about parent frames to server other than HTTP_REFERRER which cannot be trusted.
Facebook passing signed_request to your application if running on Canvas of Page Tab Canvas but this isn't something you can fully trust since it can be mimicked by user too.
Update:
The statement that this is the only real check doesn't mean you should use it! You better stick to signed_request based solution, since it's a way Facebook interact with your apps, users are not intended to use signed_request and it should not under any conditions be passed as Part of query string! If user mimicking it, something is probably wrong, I wouln't bother providing wrong styling in that case.
I ran into this same question this morning - I want desktop users to access my app through facebook but I want mobile users to be able to access the app directly via URL. Like Floyd Wilburn said, accessing the different versions of the app through different URLs is a good option, but instead of having two copies of the app (hard to maintain) I used mod_rewrite to rewrite the /facebook directory to the app root:
# rewrite both /facebook and / to same place so you
# can tell if your request came from facebook or from direct URL access :)
RewriteEngine on
RewriteBase /
RewriteCond %{REQUEST_URI} /facebook*
RewriteRule (.*) /index.php [L]
Be sure to set your Facebook page tab URL to land in the /facebook subdirectory. Now, you can browser sniff to see if they're a mobile or desktop user, and you can test the requested URL to see if they're accessing the app through Facebook or directly :)
Let me add that there is NO foolproof way to determine either the client type or access point - both can be spoofed by someone who knows what they're doing - so take this into consideration when designing your app's security and authentication mechanisms.