Is possible to use .httaccess to some place on the server via html form?
Suppose we can use php, html, javascript, .httaccess
I will explain it.
For example I will have www.myserver.com/administration/
In folder administration will be some filestructure for administrator and only authorized users shoul be able to access it.
One option is use simple .htaccess rule and you will need to access thought that ugly grey popup which consist of login and password.
Second option is use standard session notification in php - form in html send it via post, proccess it in php script, if you have right login and pass, create session and then check session on each page you need login for.
Third option - why don't mix it a bit. I don't know if its possible so this is my question:
Let's have same html form we would use for login via php with sessions, we will send it by post method somehow to athentication mechanism which is behind the htaccess authentification, than if it pass redirect to admin folder www.myserver.com/administration/
suppose that login form is on www.myserver.com/login.php
additional demands:
1)if I'm not logged in - redirect to loggin.php or better show some error page with message
so send to the error page some information via post for example set $_POST["message"] = "not logged"
2)be able to loggout - so assign logout action to some button html link ...
3)if its possible to folder is it possible set it only for specific filles on server or for some filestructure I'll define? for example login rule will be necessary for this 2 folders(all pages in it) and this 3 php pages which are somewhere else for exaple in third folder which will have protected only that 3 files and other will be accessible for everyone.
4)if this option is even possible is possible have more than one group of users?
I suppose that htaccess authentification works just like you can pass and you can't pass.
Hope somebody find the time to read this and answer it. My question is if its even possible do it this way I described.
.htaccess is just a way of configuring Apache.
One option is use simple .htaccess rule and you will need to access thought that ugly grey popup which consist of login and password.
There are various standard authentication mechanisms built into HTTP that Apache supports and which you can configure through a .htaccess file.
Let's have same html form we would use for login via php with sessions, we will send it by post method somehow to athentication mechanism which is behind the htaccess authentification,
You can write an Apache module that uses a form to handle the initial login process. This would typically be done with Perl or C. An example of one is Apache::AuthCookie.
You can then use .htaccess to configure Apache to use the module for various URLs on your site.
Related
I searched for the answer for my question but I couldn't find exactly what I wanted.
If you find a duplicate of this please send me it!
I have a couple of files in my website that are used to do background functions that I don't want anyone to access them- not even the admin. for example files like PHPMailer.php, login-inc.php logout-inc.php and more.
I need a way to prevent anyone from accessing those pages and not prevent them from working when triggered by buttons/forms.
I'm aware that using a session can redirect not logged users, although, here, I need to prevent everyone from accessing the pages by redirecting them or sending them to a 404 page.
what do I need to use to do that?
thanks!
Update: I'm very new to web coding so sorry for the confusing question, I wanted to block users from entering some pages by entering their location with a link for example I don't want users to be able to access tokens/passwords...
Using .htaccess solves my problem. thank you.
One way to protect your files to be called by web server is to move them out of site webroot directory. That way there is no way that someone access the with web browser and you still can include them. It's common solution.
Other way is to intercept web server requests and i.e. forbid some of them, redirect some others and so on. I.e for Apache web server you can do that inside .htaccess file. You have to allow that in website settings.
For your specific case, with those buttons:
You'll have to use .htaccess (or equivalent) to intercept all requests to those files. Then redirect those request to some php script, with also saving passed parameters.
Then your PHP script should decide what to do with that request...reject it (redirect to 404 page) or allow access.
For that your buttons, should pass some kind of pass code. So your PHP script can check, when it's called if valid pass code is provided (allow access) or not (redirect to 404).
Now making that pass code that can't be manipulated could be tricky, but generally you must invent some formula to generate them (based i.e. on current time) so PHP script could you the same formula to check it's validity.
Other way is to i.e. to do some JS action when button is pressed (i..e write some cookie) and PHP script will check for that JS action result (cookie exists or not).
On my server I have two folders. One is for login system (login, registration, forget password etc.) and second is for web application that i am developing. Both folders have index.php.
I want that when the user visit my site (mydomain.com), he must logged in to be allowed to use the application. I need to stay on url mydomain.com. Not mydomian.com/app.
I was thinking about moving the applications files in the www/ folder and load the login form with iframe, but in my opinion it is not the right solution.
For example, Instagram.com has exactly what I want. You must login to see photos, but you stays on the instagram.com
Please use include() by checking if user is logged in
if($loggedin)
include("/app/index.php");
else
include("usercontrol/index.php");
I'm assuming you're not using a framework, you could easily achieve that wit routing on any framework. Not using a frameworks you can include different php logic on your main index file depending on the session status
I've got so much useful information from other people's questions to help me develop my web building skills...
However I've been asked to set up a site using MagentoGo where I do not have access to the php actions etc and the default contact form has only 4 basic fields. If I generate my own customer form I can't get it to send any fields as there is no valid PHP to link to.
Can I host this script somewhere other than the parent site /xxx/xxx or can I dictate a that the URL to go to for actions.
The only other thing I can think of is perhaps embedding a contact form via another site?
This is mainly for data capture and to help customers with queries they have regarding the product.
Although it is best practice to host your own files onto the site, if this is all on the same server (or FTP user account), I don't see why this would not work.
In the past, I've used a form action with a full reference link, ie action="http://mysite.com/parse.php". The other solution would be to use cURL to send the information to the form parsing script and return the values, similar to how Paypal does it.
Since I'm not very familiar with cURL, I suggest reading up on it in the PHP.net manual.
there shouldn't be a problem with storing a script on another server, just create an HTML form within a CMS block or page in Magento and set the action attribute in your HTML form to the URL of the PHP script, e.g:
<form method="post" action="http://anotherserver.com/script.php">
unless i've misunderstood your question? if this isn't allowed because of some permissions within Magento Go then you could try just embedding a form as an iframe.
I'm developing a website by Zend.
Some people create a html file imitate my login view. Action in form point to my controller to submit.
I don't other login outsite from my websites. So how can I prevent other domains submit form to my controller?
I tried to get request host name of "requester pages" to compare theirs domain with mine, then return error if user login from other sites.
Check the ZF manual for CSRF protection, which is the standard, built-in way to solve this problem.
you could check the refferer if it is in your domain (or empty)
add a hidden input field an generate a token on every display. if the token is wrong, don't continue and redirect them to your login page.
Be sure that every token can only used once, by one user (same session/ip) and only for e.g. 1 hour
EDIT: see https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet
there would be easiest way to prevent out side users to login into your site
user zend captcha to generate every time new code to login session
you can use below link as reference to use in login page
http://mnshankar.wordpress.com/2010/06/01/zend-form-element-captcha/
So I was just told that having this sort of thing visible whenever someone views the source on your front end is insecure:
<form action="http://www.somedomain.com/form.php" method="post">
Basically, that someone being able to see the php file that the form submits to is dangerous. Is this the case? If so, how do I make my visible source secure while still having the form submit to our hypothetical "form.php"?
first of all , php source code can't be viewed unless you restrict access to it via htaccess or other ways , secondly , your front-end source code must always be public because security issues aren't treated from the front to the back-end , thirdly , your php file's source can't be viewed like a css file or javascript code
if you want to restrict direct HTTP access to form.php , you could use .htaccess
i use this solution , some files are marked as somefile.php, but some util files are either stored in a folder or marked as utils.inc.php , so i make sure that i restrict direct access to inc.php files and allow everything else
I personally do not see a problem with showing the page which the form submits too, because once the user submits his/her enteries, the action="" will re-direct the user to the page stated anyway, so either way they will see where they will end up. Whether in the URL bar or the form scripts.
Just ensure you sanitize the user-input data before passing it through your database.
Depending what your using for your Database Interaction; there will be functions available to protect you from injection
Security by obscurity is a good policy in only very select, specific cases. But knowing where forms submit to – that's actually the nature of web forms. There's now way around that.
Even if the URL you submit to is somehow dynamically created for some kind of impression of security – just have a proxy between the browser and the server, and the entire HTTP dialogue is open to be read.