I have regular credentials to access a specific site (built with OpenCMS).
Everyday I download (Save AS) a bunch of pages, parse them and extract the data I need.
Is there a way to do it via PHP? Maybe using the cookie that's already been set?
Or passing credentials in http request? (I tried but seems OpenCMS won't allow that).
I've seen something about stream_context_create but I can't figure out how to do it.
Read up on CURL. You can specify a cookie jar to use, which means you can copy your normal browser cookies into the file CURL is using.
Related
I use a JSON API to get data for a website. I am aware of various methods that I could make it secure, but my situation is different from common methods.
Because of cross domain issues, I had to create an API folder with various PHP files that do cURL requests to the REStful API. I then request these local PHP files through AJAX on my site. On the next release it should be JSONP to avoid this issue.
Many of these JSON requests contain sensitive information so the first thing I did was check for the HTTP Referrer so people don't just grab the URL when inspecting the JavaScript code and try to run it on their browser. This is obviously not safe nor should I rely on it.
Any data I may try to post to the request will be through JavaScript so something like an API key or token would be visible and would defeat the whole purpose.
Is there a way I can prevent these PHP files to be run outside the website or something? Basically make them inaccesible for visitors?
This does not have to do anything with REST. You have a server side REST client, in which you call the REST service with cURL and the browser cannot see anything of this process. Until you don't want to build your own REST service for this AJAX client this is just a regular webapplication (from the perspective of the browser and the AJAX client ofc.). As Lorenz said in the comment, you should use sessions as you would do normally. That's all. If you want to restrict access to certain pages, you can use an access control solution, e.g. role based access control is very common.
I have a site built in PHP and we have some PHP pages that require logging in that produce links to PDFs. The problem is that those PDFs (which were copied out to Amazon Cloudfront) were indexed and available for searching.
What is the easiest way to stream an existing PDF to the browser, making it so that the user has to login to be able to see the document? I'm hoping that there is some simple Header code or something where I can say "load this file on the server that's not accessible on the web and output it as PDF".
Any thoughts/suggestions?
Thanks!
You can use htaccess (or similar) to redirect any requests for a .pdf document to a PHP script, passing the requested file name. The script can then validate the log-in credentials, and if the user is logged in it can then send PDF headers, fetch the PDF document (file_get_contents) and output the code.
You can either block access to files (as mentioned in the other answer) or (more cleverly, IMHO) you can pass the file through to the browser after checking credentials (or doing pretty much anything) in PHP. There are code examples and a discussion here: http://bytes.com/topic/php/answers/159354-pass-through-any-file
I'm using loadVars to load a PHP URL with lots of sensitive information required for the Flash application. Only problem is that URL can be accessed via a web browser which raises security issues if someone gets a hold of this URL. Is it possible to have the PHP page only accessible via my Flash application?
Appreciate the help!
Thanks
No, there is no way to limit a page to a specific app, browser or user agent, since all of those things can be mimicked. If you are passing around sensitive information then you need to do authentication and use encrypted data transfer (HTTPS).
Regardless of how you attempt to make it only accessible from your Flash application, a determined user will certainly be able to view the page also. It can be as simple as proxying the requests through an HTTP proxy like Charles, Firebug or Wireshark.
There are things that can be done to make it more difficult to figure out what the data is from viewing the page directly. For instance, you can encrypt the data or output it as binary. But since SWF is an open sourced format, users can use decompilers or just inspect the ABC (Actionscript Byte Code) to see what is really going on.
The short answer is NO, you cannot protect the information available to the client side (Flash) from being accessible from other clients.
As long as you have a page on HTTP, a determined user can always find a way around any user-agent restrictions imposed by you.
One way to protect the data (other than using HTTPS) is to encrypt it at the server, send it over HTTP and then decrypt it in Flash using as3Crypto or some other cryptography library.
Hope this helps,
so what i am trying to do is this:
login to the other server with a PHP on my own server (either with my username and pass/or with my cookies)
then have access to the page i want to display/download
i want to write a PHP script that is located on my own server, that automatically does a login to another server, that uses HTTPS and a web form for login.
after the login i have access to that page that i am trying to download.
i dont know if it would be possible to login and download the html only with the cookies that i have in my browser through a previous login, or if i need to do the login in my php script through some https login method.
can i do any of this with curl or fsocksopen or what would be the best way to realize this?
thanks in advance!
you just have to try. in most cases you should be fine if you export your cookies and use them in your curl request.
however the website mave hashed the cookies with the remote address, or given a timeout on them.
then you probably have to login from the server. with php / curl you can do that all.
the only thing that may be a problem is javascript/captcha codes.
in addition you should definately check zend http client, it has functionalities that makes "browsing" easy. for example saving cookies and automatically passing them on in the next request and also deleting them if the server tells you so etc.
Use the PEAR HTTP Request class.
I have a client running an ASP.NET application. Inside of that, there's a self-contained PHP wiki. The problem is that the wiki won't use the .NET authentication, so requests directly to http://foobar/path/wiki/ will resolve without forcing a login.
My simple solution for this is to run the PHP application in an iFrame from an .aspx file that will force authentication, and then use PHP to detect if the page is loaded outside of a frame and redirect if so.
I know this can be done with JavaScript quite easily, but I would prefer to do this test server-side before the Wiki content loads. I need help figuring out a way that this can be done. Referrer comparison perhaps?
Any suggestions?
Thanks!
There is no way to tell on the server-side if a client's browser is loading a page within a frame, tab, or dedicated window.
What you can do is have your .NET application set a cookie after authenticating that the PHP application will read. If the cookie doesn't exist then do a redirect to the authentication page.
Even with JavaScript this is not secure. One could simply request the Wiki pages and ignore the JavaScript. For example, I could use WGET to pull down all your content without ever authenticating.
If security is important, I would highly recommend figuring out a way to make the PHP app aware of the authentication.
The simplest approach, if this is all on one server, would be to have the .NET application store some sort of token after authenticating, somewhere PHP can access it. Then set a cookie that the PHP wiki will receive and check that value is a valid session for each request.