Password protected part of website / custom log in page - php

I have a public website with 1 page that is password protected. On this page are links to several pdf files and just some text. This page and the files are currently protected using .htaccess and .htpasswd files. When users try to access it a pop-up shows up asking for a log-in name and password.
It works, but I don't like how it looks. I'd like to have a page on the website where people can log in, with the same look as the other pages. (Like most websites have)
I have looked around for a while and found this:
Easy way to password-protect php page
After messing around with it for a bit I got it to work and I successfully password protected one page. The problem however are the pdf files on the page. I have no idea what to do with those.
So for my question, I'd like the following:
1) A nice looking page where people can log in.
2) 1 password protected webpage behind this log in.
3) Multiple password protected PDF files that are accessible through this webpage. (They can just open in the browser)
There is only 1 name with 1 password.
Any suggestions on how this can be achieved?

The problem is that on your 'secure' page, you can't provide a static link to the PDF file, else anyone who knows the link, has the PDF. This is security through obscurity, and is considered bad practice.
Two possibilities immediatelly come to mind to protect your PDF's:
Don't link to the PDF itself, but to a script that 'transfers' the PDF. The PDFs are in a directory that is not accessible (out of the root) for the web, but accessible for the script. The script reads from the PDF and writes to the client.
Link to the PDF itself, but configure the webserver to check for a valid session with your script. Users who use the direct link but are not logged in, receive an error. Bonus: configure the error page to go to the logon page. Using mod_auth_form could be the easiest way here.

I know that PDF files can be password protected, would you consider this as an option?
You would do this when you are creating the PDF file.

Related

How to avoid a login bypass in my webpage by entering URL

I am trying to set up a secure web page at home. I created a login page with HTML and PHP, and it actually works when a user tries http://example.com. However I noticed that if a user enters in the URL http://example.com/documents.html (where documents.html is a page in my website) it get access to the page contents without login in first.
I have been looking for a solution for several weeks without success. I’ve tried to use the .htaccess capabilities of Apache without success, (get same results as above). So if someone could lead me on how to avoid this, that would be great.
This question is very broad. There are many possible solutions. It is going to be very hard to give a best answer.
My personal choice would be to remove HTML pages from the public area of the website and then create a PHP page which checks for permissions based on the requested page. If that is OK, then the PHP page would read the non public HTML page and simply echo out the contents.
This will secure the HTML pages without the need to rename them or alter them in any way. This is often times better because there is usually a reason that you have HTML pages instead of PHP pages. If they are being generated somewhere else it could be very difficult to keep those changes updated too. It will also allow you a chance to add to or modify the output in code before you display it.
One PHP file could be made per HTML page or you could use one PHP file for all pages and use a request variable to choose which HTML page to authorize and display. That is up to you.
As a bonus, this type of system can also be used for any other type of file you'd like to secure but still give (what seems to be) direct access to. To do that, just replace mystaticfile.html with mystaticfile.zip (or whatever) and make sure to send the correct header.
For me I added this code in the start of webpage that should be only accessible of logging in.
<?php
if(isset($_SESSION["username"])) {
//Code to run if logged in
} else {
//This will return the user to login page if the user is not logged in
header("Location: login.php");
}
?>
This will protect the exclusive pages for user page even if the url is manually typed.

Automatic login in net2ftp

I have a ftp client (net2ftp) embeded to a html page to upload files.
Now this file uploader comes with a login sistem. There is a way to set something like an auto login?
Let me set this more clearly, when my user comes to the net2ftp login page he/she is already logged in my main page, so its pointless for him/her to log again. So I want to find a way to make the net2ftp log automatically with the user's credentials.
I apologize if this text seems a bit confusing, english is not my native language.
Thanks!
Ok, I finally solve it. It was pretty easy actually.
For the autologin in net2ftp you need to go to 'net2ftp/files_to_upload/includes/registerglobals.inc.php', you'll see there is an array called net2ftp_globals, as its name sugests, it contains all the global vars, including the server and user name, languaje and skin options, etc.
You need to set the following vars this way:
$net2ftp_globals["ftpserver"] = [your ftp server name]
$net2ftp_globals["username"] = [your username]
$net2ftp_globals["password_encrypted"] = [your password]
then, in the same class, you need to change this vars
$net2ftp_globals["state"] = "browse"
$net2ftp_globals["state2"] = "main"
This way, net2ftp is going to be redirected to contents table and will skip the login page.
Keep in mind this only works is you have a ftp configuration for user, if you have users with more than one ftp server this is not a good solution for you.
There is actually an easier way to do this as of 2018(and more reliable I think).
On version 1.1 of net2ftp there is an option to bookmark a directory which creates a direct link to any directory you wish, automatically logs the user in and bypasses the login page. The link comes in this format:
https://example.com/admin/ftp/index.php?protocol=FTP&ftpserver=ftp.localhost&ftpserverport=21&sshfingerprint=&username=[username]&password_encrypted=[encrypted_password]&language=en&skin=shinra&ftpmode=automatic&passivemode=no&viewmode=list&sort=&sortorder=&state=browse&state2=main&directory=%2Fpublic_html%&entry=
You can then put an iframe on your page like this:
<iframe src="admin/ftp/index.php?[The rest of the link is the same as above]></iframe>
So let me get this straight, the user is already logged in onto your site, but will then need to log in into net2ftp?
Well, if your site is servicing this net2ftp service, and their login credentials for net2ftp are the same as your site, why don't you just alter the embed form code to have their credentials echo'd into the login fields? Does that work, or are you wanting to avoid the login feature entirely?
Perhaps submitting a link to your site would help.

Host problems securing content in members area folders with .htaccess

Okay, we have a subscription site up on our dedicated server. We feed content to paying members who access the site via our login page. Subscriptions are handled by a third-party biller who writes new member info to a database on our server. Member authentication is done using a MySQL database and not .htaccess/.htpassword. The reason for this was that much research showed that the .htaccess/.htpassword approach was insecure (transmission of user info via plain text) and that it offers no way for a user to log out. Thus the database authentication via MySQL. It all works great.
Except we have a problem in that the folders that contain members-only content need to be secured against anyone typing in the complete file path and file name to access the downloads content, thus bypassing our website.
So we went to the host and had a custom .htaccess file written. We had to do this in the interest of time, and they claimed to know about this sort of thing so we hired them to write the .htaccess file.
First iteration: It redirected every user login back to the index.php page instead of allowing access to the members area. Direct file access was blocked, however.
Second iteration: Member access to the member's area was restored and once again the content was vulnerable to direct download.
Third iteration: Successful access to member's area. Content access blocked to direct browser access. HOWEVER, ALL of the .jpg files that used to display with each of the download files in the member's area are now broken links. All of the thumbnails in the associated download file photo galleries are now broken links, preventing the viewing of the larger images they represent.
CONCLUSION: The host is backing out of the deal saying that what we want can not be done. To recap, what we want is:
Allow our registered members access to our member's area using our login page.
Preventing direct access to our content via browsers.
Allowing all of the .jpg images to display with the download files and in the thumbnail galleries.
They claim this can't be done, my suspicion is that they do not know how to do it. Certainly there are many subscription sites on the internet that use .htaccess files to secure their content.
ADDITIONAL INFO: We have an SSL certificate for this domain. Could that cause a problem? Shouldn't the .htaccess to protect our member's area content be in the member's area folder and not in the root (as it is now, and wouldn't that make the coding of the .htaccess file less complex?)?
I'm having a hard time believing that what we are asking to be done is not do-able.
Please advise. Any and all help will be severely appreciated.
Skip the .htaccess route. Store the file names for the 'member content' in MySQL. Then use .php to link to these for 'members only'. PHP would know only identifying information but not the actual file names. EG MySQL index #, storage date, member ID - all of these can be used to generate (and retrieve) a unique filename that you never expose.
I've done this before in Java using servlets in the 'src=' part of the img tag. I expect that PHP offers something comparable.

PHP File protection mechanism crashes because of FF

I have the following problem:
I have several image galleries which should only be visible to registered user.
The images are in one directory per gallery, each dir with a long, cryptic name.
But if you know the link, you can access the images without authentication.
Since I am using PHP on the server side, a simple approach would be "readfile" with .htaccess, but I do not want to pass hundreds of images through php.
So I tried a different approach: I used basic http authentication, with a dynamic generated .htpasswd file, containing access data for each loggedin user, which is resetted after 24 hours and after every logout of a user, so links on the images are broken after max. 24 h.
But I do not want the user to type in the cryptic, auto-generated username and password for this authentication, so I use urls like this:
http://username:password#path-to-image
That works perfectly in chrome, but in FF, when I want to include more than one image, the dialog to enter username and password appears for some of the subdirs of the protected one.
An example: I have the following dirs:
/gallery/one/
/gallery/two/
The protection is in an .htaccess file in /gallery/
And sometimes firefox only loads the images from /gallery/one/, sometimes only from /gallery/two/, sometimes none of these, sometimes both. If he doesnt load at least one of these, he asks to enter your username and password.
I cannot explain this behaviour, and I havent found a solution to make FF safely accept more than one url with username and password in it without asking.
Is there a solution for this problem, or do you have any other way to safely protect files on the server?
Thanks in advance.
PS: I have heard of mod-xsendfile, but it cannot be installed on my webhost.

Hide pdf to non registered users

I've hit a dead end with this code I'm working on. I have a website where users can register and will be able to view certain pdfs when they are logged in. My question is though, how do I hide this file to make sure that only those currently logged in can subscribe. I keep track of my users with a MySQL database and have been using PHP for all the server side coding. Ideally, the solution won't involve the user having to sign in again or anything like that. I'm not necessarily looking for code (though its always appreciated :D), but any bump in the right direction would be great.
Thanks for any help you guys can offer.
if(isset($_COOKIE['login']))
{
header('Content-Type', 'application/pdf');
readfile('secret/books.pdf');
exit();
}
else
{
include('login.php');
}
The only way to secure the URL to the user is to require a login, which is something you don't want to do. (Obviously as long as the session is open via a cookie or whatever you are using, the person could access it.)
But keep in mind that once a person as the link to the PDF, they can download it and give it to somebody else. So in my opinion, you should simply focus on making it impossible for the average person to guess the URL.
In other words, simply putting the PDF on a URL that is not guessable is sufficient security given that a person can easily duplicate the PDF.
That said, if you want to lock it down a bit, you could give each user his own unique URL for the PDF. Thus if somebody does copy the URL around, you know who did it. Also, you could have URLs expire after a certain time.
That URL could be stored in the database as a url -> pdf lookup. No authentication would be required to access it.
Two thoughts on that:
1) store your PDF outside of your public readable WWW folder and include it to an authenticated user like ayush proposed
2) protect the file with a username and password using htaccess and access it with curl. cURL can provide the correct credentials without making the user re-authenticate.

Categories