User login to the site and and with the appropriate permissions it allows to access to page policies/editor.php,from this page he has a link to access to directory: /home/account/app/Ui/policies/gray_list.
The good: the application manages internally the session, and once the user logout or session timeout expires, the user is directed to login page.
The bad, In case the user opened a tab to the directory, i.e. policies/gray_list/, he can stay there beyond that expiration, so even if the user logout from the site, he still can navigate to the directory.
How can I make the session expire (I assume using apache configuration)? So actually, what I want is that once the session timeout the user will at least get the forbidden 403 error, like he currently gets when he tries to access this folder directly and not from policies/editor.php
My current configuration:
SetEnvIf Referer "policies/editor.php" editorpage
SetEnvIf Referer "policies/gray_list/" graylistfolder
<Directory "/home/account/app/Ui/policies/gray_list">
Options Indexes FollowSymLinks
IndexIgnore ..
Order Deny,Allow
Deny from all
Allow from env=editorpage
Allow from env=graylistfolder
</Directory>
How exactly is your session implemented? If we are talking about PHP sessions here – there is no “simple” connection between those and Apache default functionality.
In that case, then you’re better of disabling directory content listing via Apache, and use a PHP script to read the directory contents and present it to the user (either by making a PHP script the DirectoryIndex file, or by rewriting directory requests to the script) – that way, you can handle your session resp its expiry accordingly.
And relying on the referer is of course no real “protection” at all, since that value is optional as well as most easily fake-able.
Related
I wrote a web application on an apache (2.4) web server where users are authenticated via kerberos. I have a user table in my database with basic permissions (r, w) set to 0 or 1. Now I would like to check these permissions every time the user tries to access a page on this web server. When the user has no read permission he should be redirected to the page "forbidden.html". Obviously, apache can't do the permissions check. So I tried it with php.
What I have so far
I've put all html files in a subfolder /html in the apache DocumentRoot and put this into my configuration file to call php/auth.php every time the user requests a page in /html:
<Location /html>
<If "%{REQUEST_URI} !~ m#\/forbidden\.html#">
# Script checks if user should get access to the site
SetHandler auth-script
Action auth-script "/php/auth.php"
</If>
</Location>
php/auth.php:
if ($params["user"]["r"] == 1) {
// User has permission, redirect to the requested page
header("Location: https://webapp.domain.de".$_SERVER["REQUEST_URI"]);
} else {
// User has no permission, redirect to forbidden.html
header("Location: https://webapp.domain.de/html/forbidden.html");
}
Problem
My problem is that I get a redirect loop. It seems the redirect from auth.php's header() again triggers the auth.php script through apache's Action directive. This behaviour does not appear when the user is redirected to forbidden.html because it is excluded in the conf file.
I tried commenting out the header() in auth.php, but apache will not serve the requested site automatically with the Action directive.
Is there a way to know if auth.php already redirected the user in this request and tell apache to not call the script. Or is there an even better way to do what I want to achieve?
Thanks in advance.
I did something similar without using Apache directives at all (hosted site, can't change anything). You do not need the Apache redirection part.
In every phtml file, the first action I do is to require a PHP page similar to your auth.php. If auth.php detects that the user does not have the rights for the page, I send back a header to redirect him, like so:
header('Location: http://www.example.com/forbidden.html');
Just make sure that nothing else is printed before the call to header, and non-authorized users will end up in your Location page.
If the user is authorized, no header, no redirection, keep going "down" the page.
I'm coding a small website with login for members. Every member have a dedicated folder and I'd like to know how to deny all access to this folder from everyone except form the user when he's logged in.
For now, I've set up things like that:
1) Every folder have an .htaccess with deny from all
2) When a user logged in, I use PHP to identify the user and get his folder. I get the user's IP address and I edit the .htaccess with
order deny,allow
deny from all
allow from 178.197.XXX.XXX
3) Once the user logged out, I reset the .htaccess to deny from all again
Is there a better way? And is there security risks?
Don't use IP. One user is not equal to one IP.
Store the folders outside the document root of your web server. This way, the files can never be served directly by the web server itself.
I.e., do not serve the files directly like http://my.site.com/path/to/actual/file. Instead require that the file be requested through a proxy PHP script like http://my.site.com/getfile.php?file=name. The script would check that a user is logged in, check that a file named name exists in that user's directory, and then spew it with readfile() or similar.
Also, in general, your files should never be writable by the user that the web server process runs as -- especially your .htaccess files.
Here's the layout:
web root
- admin (dir)
- index.php
- js
- img
- other files / dirs
- dir
- files
Until now, I protected the admin dir with .htaccess passwd because I want full access control for all files in that dir (including js scripts, jpg, pdf etc). On the other hand, my custom CMS provides authentication using PHP sesssion / cookie for other URLs. What I want to accomplish is to use the same PHP authentication for the .htaccess protected dir, avoiding the popup prompt for user / password for already PHP authenticated users. In summary:
I want the admin dir to use the .htaccess rules for authentication
If a user is already authenticated using PHP (login in a HTML form, on a non-protected file), bypass the second .htaccess authentication process when accessing the admin dir content
If a non PHP authenticated user tries to access content in the admin dir, the HTTP auth popup should be triggered
Most of the stuff that I've read suggest to move the admin dir outside the web root and access the files from a PHP script with readfile, which I don't want to do. There's dynamic content on that dir, as well as static. I know that apache will trigger the auth popup before loading any resources so the question is how to make apache aware that the user is already authenticated. Any other suggestion / workaround?
You can use the SetEnvIf variable in the .htaccess file to check if a certain Cookie value is set. For example (this isn't very secure, but just for illustration):
AuthType Basic
AuthName "Protected Login"
AuthUserFile "/path/to/.htpasswd"
AuthGroupFile "/dev/null"
SetEnvIf Cookie PHPSESSID=.* PASS=1
Order deny,allow
Deny from all
Allow from env=PASS
Require valid-user
Satisfy any
The line SetEnvIf Cookie PHPSESSID=.* PASS=1 checks if a Cookie is set with a PHP session id and if so, that is enough to Satisfy the authentication process and the Allow from env=PASS makes it skip the login prompt if this is true.
Again, this example is not very safe as a PHP session cookie is already set when session_start() is called without a succesful authentication attempt, so it would be better to set a more cryptical/random cookie value that's hard to guess. For example:
SetEnvIf Cookie AJNC3Z921dmc4O8P2 PASS=1
That way, if you set a cookie value of AJNC3Z921dmc4O8P2 upon succesful authentication through PHP, this will be enough to pass the authentication process. Make sure to set a proper cookie expiration time though to avoid people from being able to pass the login prompt for a prolonged period.
i want to deny access (from all non-logged in users) to all the files in a directory from the browser.
Only a logged in user can access his files in that folder. The file paths are stored in the database with the logged in user id, so that when the user logs in, he can view or download only his files.
So i dont want others (without logging in) to access the folder and files from the browser, and secondly, i want the users to be able to view only their files in the folder.
I think, Second thing i can do with some condition checks in php, but for the first one, can anyone tell me the htaccess rule to achieve ?
Thank you
dont show them the actual folder path where their files are stored.
Use a php file to fetch the downloadable content.
eg :- download.php?file=mydocument.doc
Cons :
Might be slow
No Download Resume support (I guess)
For the part of .htaccess user access you can take a look here at the .htaccess Password Generator
You can disable default directory browsing using .htaccess.
Open your .htacces file
Look for Options Indexes
If Options Indexes exists modify it
to Options -Indexes or else add
Options -Indexes as a new line
The directory browsing feature should be disable by now
There's article, which describes access control feature of Apache web server thoroughly: http://httpd.apache.org/docs/2.0/howto/auth.html
The easiest variant looks in the following way:
AuthType Basic
AuthName "Restricted Files"
AuthUserFile /usr/local/apache/passwd/passwords
BTW, this part:
Only a logged in user can access his
files in that folder. The file paths
are stored in the database with the
logged in user id, so that when the
user logs in, he can view or download
only his files.
will require either creation of separate password files for each folder, or some additional scripting.
There are some known issues with this approach:
Basic authentication scheme sends passwords as a clear text, which is not good if your site is accessible by HTTP (not HTTPS). There's also Digest authentication type, but there were some problems with browser support
Logout operation will require browser closing
Generally, I'd recommend:
Apache built-in capabilities - for simple access control without detailed users privileges/rights configuration
Custom access control by means of some web programming tools - for authentication scheme with supposed priveleges/rights configuration. There are many web development frameworks, which provide access control feature.
thanks for your replies, between i found a code snippet that is working just fine.
I inserted the following lines in my .htaccess file:
Order deny, allow
deny from all
Last night I made some admin changes to my webserver. I use php. The php processor failed after the update and if someone went to my homepage, the php page would simply download and show the proprietary code and password to anyone visiting. So I was wondering if there is a way to prevent any form of download for php files using .htaccess -- but still allow for normal viewing of the files.
A good pattern to follow during development is to use a minimal initialization file, which invokes the actual application which resides outside the webroot. That way only a minimal stub with no critical information is exposed in a case like this.
Simplified example:
/
/app
critical_code.php
/webroot
.htaccess <- rewrites all requests to index.php
index.php <- invokes ../app/critical_code.php (or other files as requested)
The trouble here is that either .htaccess is serving your files to the user or it's not. You can't tell it to deny access to the .php files, because then access will be denied during normal use, as well. There is no fallback behavior for the PHP processor simply not running correctly.
Maybe it's worth temporarily moving the web root to point to an "under maintenance" site when doing big things like that, to minimize risk as much as possible.
Assuming you're using Apache, your .htaccess file would look something like this.
<FilesMatch ".*\.php">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>
<IfModule php5_module>
<FilesMatch ".*\.php">
Allow from all
Satisfy All
</FilesMatch>
</IfModule>
The first rule denies access to all .php files. By default, the user will see a 403 (Forbidden) error.
If the PHP5 module successfully loads, the second rule will take affect, which grants access.