I'm coding a small website with login for members. Every member have a dedicated folder and I'd like to know how to deny all access to this folder from everyone except form the user when he's logged in.
For now, I've set up things like that:
1) Every folder have an .htaccess with deny from all
2) When a user logged in, I use PHP to identify the user and get his folder. I get the user's IP address and I edit the .htaccess with
order deny,allow
deny from all
allow from 178.197.XXX.XXX
3) Once the user logged out, I reset the .htaccess to deny from all again
Is there a better way? And is there security risks?
Don't use IP. One user is not equal to one IP.
Store the folders outside the document root of your web server. This way, the files can never be served directly by the web server itself.
I.e., do not serve the files directly like http://my.site.com/path/to/actual/file. Instead require that the file be requested through a proxy PHP script like http://my.site.com/getfile.php?file=name. The script would check that a user is logged in, check that a file named name exists in that user's directory, and then spew it with readfile() or similar.
Also, in general, your files should never be writable by the user that the web server process runs as -- especially your .htaccess files.
Related
I am working in a website that requires blocking access to internauts via URL to a directory that holds different type of content (images, css files, js files, etc). This content will be used in the website in certain occasions when it is required and only for a few seconds (advertising), therefore the website will require to access this directory, however the client does not want the content of that directory to be available via URL.
I have tried doing it through htaccess, by validating the user with a password. This forbids internauts entering this directory if they don’t have the password, however this method also block the website when it needs to use some of the content within this directory.
Thanks for reading.
You might want to put an appropriate .htaccess file inside of any folder you want to restrict and avoid mod_rewrite
#
# Restrict access by IP address
#
Order Allow,Deny
Allow from 127. # localhost
Be sure to confirm your host IP and update accordingly if it's not the default localhost
Which is the best way to prevent certain directories of a web site from being directly accessed?
1- Creating and placing a .htaccess file in each directory we want to protect and place the next line in it:
Deny from all
2- Creating and placing a index.php file in each directory we want to protect and place only the next line of code in it (which will redirect to homepage of the website):
<?php header("Location: http://" . $_SERVER['HTTP_HOST']); ?>
3- Something else (what is it?)
As mentioned in the comments, the safest way is to place content or directories outside the web server's public document root. This will ensure that content will not be served even if an .htaccess file is deleted or if the server does not allow .htaccess overrides.
To determine your document root you can just echo the PHP $_SERVER['DOCUMENT_ROOT'] variable. So if your root is /var/www/html, you can create a folder /var/www/protected_folder and Apache (or other web server) will never serve it (unless the http.conf file is altered to modify the document root folder).
If the folder must be in the document root, then using an .htaccess file to either DENY or redirect is a good alternative.
As TerryE mentioned, you could also use OS-level file permissions to deny the Apache user access to the folder (set a different user as the owner and then set permission on the folder to 700, for example). If they try to access the folder they'll get a 403 Forbidden Error which you may not want to show (though you could set up a custom 403 error handler in http.conf or htaccess). Depending on specifically what you are trying to do you may want this approach, as it will also let you prevent access from scripts (i.e. PHP include() etc) if you want to, as PHP runs under the webserver user by default. The major downside of this approach is that file permissions are often not preserved during migrations (if they're not done correctly) and file permissions can sometimes be reset inadvertently when altering parent folder permissions with a recursive flag (whereas it's unlikely that someone would inadvertently move a folder into the document root).
I have a site and I want to create a log.txt file which includes all user logs.For example a user logged in anytime and logged out. That is to say,time which users logged in and out. I can make this with database but there would many rows and I don't want it. If I put log.txt file to /logs/log.txt,any user who writes domain.com/log/log.txt to address bar will see that file. How can I prevent this. (I use PHP)
It's true that you can hide files from website visitors using .htaccess, or by putting similar rules in other Apache configuration locations. But this kind of thing is not trivial, and it's easy to make mistakes. The best way to hide files from site visitors is through the directory structure of your project. For instance:
A directory www/ to contain all files website visitors DO need to visit directly with a browser. This will the the directory used as we website root in your Apache configuration. If browsers don't need to fetch a file, it should not be here.
Other directories, like logs/ for logs, lib/ for source code that gets included in your scripts, config/ for settings and configuration files, etc. Since they're not inside of the website root (www/), users cannot point their browsers at any of these files.
If you're on shared hosting, and they only give you one folder that is your website root, then you can't do this. I wouldn't purchase a hosting account from such a company, though, because there are plenty that DO let you put files outside your web root.
Use a .htaccess with
<Files "log.txt">
order deny,allow
deny from all
allow from 1.2.3.4
</Files>
Where 1.2.3.4 is your IP, if you want to be able to acces it from your browser via the site. Else remove that line, so you will only be able to access via FTP or script
You can prevent http access to your log folder by using an .htaccess file that contains
deny from all
I have a website that has an include folder which contains php templates and functions. If a user tries to access that folder. It may not harm website but I don't want my users to see those templates in an UN-organized manner. Instead, I want to restrict the user if he tries to directly access those files within include folder and redirect him to homepage.
Put this in an .htaccess file in that directory:
Deny from all
This is assuming you're using Apache or another web server that knows how to read and process .htaccess files.
For the redirect, instead of Deny from all you could try this instead:
RedirectMatch 301 ^/includes/$ http://www.yoursite.com/
You can configure the server such that this folder is not available to the public. Alternately, structure the site so this folder is below the siteroot - this makes it completely invisible to the public. Simply adjust your include paths and you're done. I prefer this solution, because the files are completely off the radar unless you are logged in and have access to the file system.
i want to deny access (from all non-logged in users) to all the files in a directory from the browser.
Only a logged in user can access his files in that folder. The file paths are stored in the database with the logged in user id, so that when the user logs in, he can view or download only his files.
So i dont want others (without logging in) to access the folder and files from the browser, and secondly, i want the users to be able to view only their files in the folder.
I think, Second thing i can do with some condition checks in php, but for the first one, can anyone tell me the htaccess rule to achieve ?
Thank you
dont show them the actual folder path where their files are stored.
Use a php file to fetch the downloadable content.
eg :- download.php?file=mydocument.doc
Cons :
Might be slow
No Download Resume support (I guess)
For the part of .htaccess user access you can take a look here at the .htaccess Password Generator
You can disable default directory browsing using .htaccess.
Open your .htacces file
Look for Options Indexes
If Options Indexes exists modify it
to Options -Indexes or else add
Options -Indexes as a new line
The directory browsing feature should be disable by now
There's article, which describes access control feature of Apache web server thoroughly: http://httpd.apache.org/docs/2.0/howto/auth.html
The easiest variant looks in the following way:
AuthType Basic
AuthName "Restricted Files"
AuthUserFile /usr/local/apache/passwd/passwords
BTW, this part:
Only a logged in user can access his
files in that folder. The file paths
are stored in the database with the
logged in user id, so that when the
user logs in, he can view or download
only his files.
will require either creation of separate password files for each folder, or some additional scripting.
There are some known issues with this approach:
Basic authentication scheme sends passwords as a clear text, which is not good if your site is accessible by HTTP (not HTTPS). There's also Digest authentication type, but there were some problems with browser support
Logout operation will require browser closing
Generally, I'd recommend:
Apache built-in capabilities - for simple access control without detailed users privileges/rights configuration
Custom access control by means of some web programming tools - for authentication scheme with supposed priveleges/rights configuration. There are many web development frameworks, which provide access control feature.
thanks for your replies, between i found a code snippet that is working just fine.
I inserted the following lines in my .htaccess file:
Order deny, allow
deny from all