Automatically logging in to pages which has htaccess in directory - php

I have a certain directory where I have .htaccess file.
I want to write something in PHP, for example, that will allow me to log in automatically to my site and then I can go to other sites in this directory.
I know that I can use http://user:pwd#mysite.com, but it doesn't work on IE.
I tried to use a curl option, but I'm not sure how can I use it to get anything useful for me.
So do you have any ideas if and how I can do this? Any examples will be very appreciated.

I haven't found yet explicit solution, but for now I have some workaround for this problem.
I used .htaccess file to write few rewrite conditions and rules.
Then I have:
Authentication.php - where is array of users, who have access to pages and where is function of checking if sent login and password are correct;
Router.php - where is list of special pages which should be always accessible (especially when user is not logged in) and where is function file_get_contents to get whole code of certain page;
SessionCheck.php - where is function of checking if user has his own token in session (whether he is logged in);
index.php - there are checking all above functions.
The point is to redirect all pages (*.html, *.htm, etc.) to index.php file, which verifies if current user is logged in. If he is, then there is downloaded code of page (which he wants to see) and it is showing by using echo function.

Related

preventing anyone from accessing back server pages

I searched for the answer for my question but I couldn't find exactly what I wanted.
If you find a duplicate of this please send me it!
I have a couple of files in my website that are used to do background functions that I don't want anyone to access them- not even the admin. for example files like PHPMailer.php, login-inc.php logout-inc.php and more.
I need a way to prevent anyone from accessing those pages and not prevent them from working when triggered by buttons/forms.
I'm aware that using a session can redirect not logged users, although, here, I need to prevent everyone from accessing the pages by redirecting them or sending them to a 404 page.
what do I need to use to do that?
thanks!
Update: I'm very new to web coding so sorry for the confusing question, I wanted to block users from entering some pages by entering their location with a link for example I don't want users to be able to access tokens/passwords...
Using .htaccess solves my problem. thank you.
One way to protect your files to be called by web server is to move them out of site webroot directory. That way there is no way that someone access the with web browser and you still can include them. It's common solution.
Other way is to intercept web server requests and i.e. forbid some of them, redirect some others and so on. I.e for Apache web server you can do that inside .htaccess file. You have to allow that in website settings.
For your specific case, with those buttons:
You'll have to use .htaccess (or equivalent) to intercept all requests to those files. Then redirect those request to some php script, with also saving passed parameters.
Then your PHP script should decide what to do with that request...reject it (redirect to 404 page) or allow access.
For that your buttons, should pass some kind of pass code. So your PHP script can check, when it's called if valid pass code is provided (allow access) or not (redirect to 404).
Now making that pass code that can't be manipulated could be tricky, but generally you must invent some formula to generate them (based i.e. on current time) so PHP script could you the same formula to check it's validity.
Other way is to i.e. to do some JS action when button is pressed (i..e write some cookie) and PHP script will check for that JS action result (cookie exists or not).

How to avoid a login bypass in my webpage by entering URL

I am trying to set up a secure web page at home. I created a login page with HTML and PHP, and it actually works when a user tries http://example.com. However I noticed that if a user enters in the URL http://example.com/documents.html (where documents.html is a page in my website) it get access to the page contents without login in first.
I have been looking for a solution for several weeks without success. I’ve tried to use the .htaccess capabilities of Apache without success, (get same results as above). So if someone could lead me on how to avoid this, that would be great.
This question is very broad. There are many possible solutions. It is going to be very hard to give a best answer.
My personal choice would be to remove HTML pages from the public area of the website and then create a PHP page which checks for permissions based on the requested page. If that is OK, then the PHP page would read the non public HTML page and simply echo out the contents.
This will secure the HTML pages without the need to rename them or alter them in any way. This is often times better because there is usually a reason that you have HTML pages instead of PHP pages. If they are being generated somewhere else it could be very difficult to keep those changes updated too. It will also allow you a chance to add to or modify the output in code before you display it.
One PHP file could be made per HTML page or you could use one PHP file for all pages and use a request variable to choose which HTML page to authorize and display. That is up to you.
As a bonus, this type of system can also be used for any other type of file you'd like to secure but still give (what seems to be) direct access to. To do that, just replace mystaticfile.html with mystaticfile.zip (or whatever) and make sure to send the correct header.
For me I added this code in the start of webpage that should be only accessible of logging in.
<?php
if(isset($_SESSION["username"])) {
//Code to run if logged in
} else {
//This will return the user to login page if the user is not logged in
header("Location: login.php");
}
?>
This will protect the exclusive pages for user page even if the url is manually typed.

php auth sending specifc users to a specific page

first off third question I've asked and all have been answered well! So thanks to everybody who reads my posts (and others I guess)
I've gotten as far as I can without complete help on this one. I need to create a username and password section. I've done this before using htaccess, htauth files. Works well. Secure, and log's them in fine. What I'm looking for though is some sort of script that will take a specific user to a specific page after login.
User1= user1.php
user2= user2.php
Ect.
Is this possible without a whole lot of work? I can make workarounds where the users login to the main index, then go where they need to, but then anyone logged in can go to anyone's page.
I'm not asking anyone to write the code. But even some guidance to some tutorials would be great!
If the page is authenticated using .htaccess, upon successful login the username is available as $_SERVER['PHP_AUTH_USER'].
So you can either redirect the user using Location, or even better, directly include() the desired file.
You can place the user1.php, user2.php, ... files in a directory of their own, with a .htaccess that disallows direct access. This won't stop PHP from being able to include the files, and this way only the authenticated user can have access to his file.
if (isset($_SERVER['PHP_AUTH_USER']))
{
$pvdir = './user_private_files/';
// "basename" in case we log in little Jack Folders (Bobby Tables's cousin)
$user = basename(strtolower($_SERVER['PHP_AUTH_USER']));
$file = $pvdir.$user.'.php';
if (file_exists($file))
{
include $pvdir."any_common_code_at_the_beginning_of_user_files.php";
include $file;
include $pvdir."any_common_code_at_the_end_of_user_files.php";
exit();
}
include ugly_error.php;
}
htauth is .. old :D
Well, in any case. You can fetch the user credentials from the $_SERVER variable somewhere and switch based on that.
var_dump($_SERVER); to see which property you need.
Then use header("Location: /go/here.html"); to redirect the user.

PHP prevent a variable passed via query string, but allow the same variable to be passed via apache mod_rewrite

I'm using .htaccess mod_rewrite to convert a nice URL, and using a php variable page to send the url portion to index.php where rest of the processing is done.
RewriteRule ^([a-zA-Z0-9-_/]+)$ index.php?page=$1 [QSA,L]
Now, if some malicious user passes the page variable via query string, it gets accepted. For example, if the user calls http://mysite.com/login?page=registration instead of loading the login page, user specified registration page gets loaded.
Any idea how to fix it within the htaccess file?
I've looked for answers for the same thing myself and I'm pretty sure there is no solution to it. The only solution I've come up with is to replace page with some arbitrary "key" instead, like 98198bs129387b13. Thus, they would have to know the key. But make no mistake, this is security through obscurity... and having proper checks in index.php is still necessary (and it is regardless).
if the user calls http://mysite.com/login?page=registration instead of loading the login page, user specified registration page gets loaded.
You can't fix this using mod_rewrite - after all, what's to stop the attacker from entering
domain.com/registration
instead?
You need to make sure that unauthorized users can never access pages they're not supposed to access.

PHP login for website folder

i have a folder on my website called "admin" ie. www.example.com/admin/, so what i want to do is when someone goes to that address a login box is displayed, once they put in the right credentials, they are allowed to see everything in that "admin" folder, so do i need to put in a check at the top of every page or can i just stick the check in the index.php page?
Is this possible?
If you want to do this via PHP, you'll have to include code in every source file checking if the person have proper credentials. You really want to solve this with a web-server based solution.
If you're using Apache, you can use a .htaccess file to set up authentication. Try This article for your first step in the right direction.
Using server based authentication also allows you to protect non-PHP files.
The index.php is displayed when someone goes to that folder. Without it, the contents (all the files) would be displayed, which is I think what you want here (ie list everything)
However, permissions can be set in the .htaccess file to require passworded access to these files.
In this way, your files don't need to be individually protected, just the folder itself.
If you are planning to use sessions in PHP, you should check if the appropriate session variables are set on the pages which the successfully logged in user visits.
To elaborate, you'll need to use something like this:
<?php
session_start();
if($_SESSION['usertype'] != 'admin') //$_SESSION['usertype'] should be set in the index page once the admin guy logs in successfully
header("Location:http://www.example.com/admin/"); //Redirect the user to the login page if the expected session variable is not found
?>
also can be achieved (sort of) with .htaccess depending on your actual requirements.
AuthType Basic
AuthName "Admin Area"
AuthUserFile /path/to/.htpasswd
Require valid-user
.htpasswd
admin:$apr1$7ej2t/..$qlcauURCmChKfwVhnxRLt.
(admin/pass)
Your main point of entry can be the index.php and route the user to the proper view based on whether or not a SESSION is set.
And as for blocking the other files in the folder:
for PHP files: define a constant in the index.php and at the top of the other PHP files that are included check if it's "defined".
As for images and other types of files you can store them above the root and include them via PHP.

Categories