I have an old .net application which also contains a vbuletin forum in php.
I have created a custom handler to protect access to some files (*.doc etc) for non-autheticated users in .net app. The main problem is that now, all vbulletin users can no longer access these files.
Is there any setting I can do in order to make those files accessible for these php users? Because, all the requests are going trough my custom handler...
There are a few options that you can go with here.
If you can set a cookie for the users, regardless of PHP or .NET, then you could modify your handler to serve content based on the existence of the cookie, or similar. (You could use encrypted user value or other item if you need more than just a "yes/no"
You could move the two applications into two different silos/virtual directories. Public docs in one location for PHPBB and another for the .NET application
You could modify your handler to only handle certain folders/sub-folder within the structure which might allow you to get around.
For this specic case I've done a custom solution:
I've checked in the handler if the request comes from a php url and if this url contains my host, so I know it comes from the forum hosted on our site.
Related
I am developing a simple website for a community organization where we want to have, among other content, a wiki that is only visible to registered users who are logged-in.
Using some of the many excellent resources online, I put together a php-and-database based authentication system that handles user registration and session-based authentication. I can successfully call a php function that gives me a visitor's logged-in status.
But now, I am a little stuck on how I actually use this logged-in status to protect entire parts of my website, i.e., complex content in subfolders such as my wiki installation that is in /wiki. I have tried implementing an example where I can protect individual files by using RewriteCond and RewriteRule in .htaccess and then a method that uses header() and fpassthru(), such as the example here.
But this method doesn't seem to work when I want to protect an entire folder that itself contains php, such as the contents of my /wiki folder (a mediawiki installation).
(Note I don't particularly want to just use mediawiki's access control, because I want to have other content behind the login page beside the wiki.)
Further research brought me to the concept of "middleware" to control access to whole subdirectories, but have to admit I am a little out of my depth and haven't found a simple example yet of how I might implement this (maybe I am not searching for the right keywords).
I would be grateful if anyone could point me towards a resource and/or example for protecting subfolders on a website.
I have a hybrid WordPress plugin that fetches all data using curl from the main server. Let's call it A.
B is the client that requests for data and also can send data to A.
Now every request is encrypted and authenticated using a API access keys.
But the problem here is if I copy the plugin from B to a new client site C, the moment I use the same access keys etc. the plugin starts working.
I want to be able to restrict the access of one API access key to one domain name. How can I attain that?
I'd say to include the allowed host's IP address (B) in your access key administration.
So: when B does a call, you can validate the key and the IP it's calling from.
On A, you can use something like $_SERVER['REMOTE_ADDR'] to test the IP calling the script.
Two downsides: when sites move servers, the plugin will stop working. And of course, people can still spoof their IP, so there is a way to get around this, but at least you make it a lot more complicated and probably not worth the hassle for most cases.
A suggestion by TJHX
Make it part of the license you give your customers. The honest ones will follow it, the dishonest ones will find a way to break your DRM. This is a problem technology can't really solve confidently, especially when with things like wordpress people can just see your code - By TJHX
I have also looked into a lot of options but the mere fact is that the user always has access to the code in the wordpress plugin and can easily make amendments to the CURL request Headers even if you encrypt it.
All we can do it add it in our Licenses.
In my plugin, there are iframes that will be loading the data on the frontend so I am going to accept the domain name when the user buys the plugin and will check the referrers to my iframe to sort this issue out.
Thanks a lot guys for your help.
Use Case: I am working on an application where user can build his own html template and publish it to his domain by selecting one. He can use different components to do this.
Issue: I want to transfer the pages build by the user from my domain to his created domain. Something similar to what is done here. Now currently in the prototye, what I do is write the content to a file (a .html file using ajax request) then make an FTP connection to the users domain (possible beacuse domains are created dynamically by the application) and transfer the files to his domain.
This, I believe, cannot be the right way and I would like to build it around a REST service which would make it flexible and also secure.
Research: I went through the web and found some website handle this very well (like the one mentioned above) and believe they have built it as a service. Am I on the ?
I would like suggestions and the possibilities so I can move forward. I am using PHP on the server side and javascript on the client side.
I can see some possible features to add safety to your services :
Check the source IP from the request, and only allow your servers to make the REST calls.
add header('Access-Control-Allow-Origin: *'); with the list of the possible domains to make the calls, instead of the *.
add security tokens related to the caller machine IP address, that would work as a password for the machine.
send all the data using post instead of get.
To update the page, I would go this way :
keep the data in the database, on server 1
add a page that reads from the database the content of the page based on a domain parameter
on the domain page call server 1 with the domain parameter to get the contents
I'm building a product that involves clients adding their FB app data into my product's dashboard.
In this case each client would have to go to developers.facebook.com/apps and create an app first.
I would want to have a button which says "Create App" in my website that when clicked, would create the app instantly for the client.
So is it possible to create a FB App from my website (with script, not manually) ??
Thanks in advance,
Altin.
It was possible couple of years ago, and now it's been removed.
First of all, I’d think about the question, “does every client really need their own app?”
Maybe it’d also be possible to have all of the stuff you’re planning to do (no details on that) under one app, and have it decide on what data to show based on the fact which client’s Facebook page it gets added to (if it’ll run as page tab app), or by some additional parameter passed to it when calling it. You could f.e. example automatically redirect to a sub-folder on your webspace based on this criteria, that displays individual pages for that client.
If that’s not an option, then yes, your clients will have to set up the basic app themselves (and therefor they’ll need a verified account) – and afterwards tell app id and secret to you. Many of the “advanced” app settings can then be set by you via script – look at what properties are marked as “(Editable via API)” here: https://developers.facebook.com/docs/reference/api/application/
(Although some of the basic settings, like category, description, logo etc. will still have to be set by your client themselves. But other, more “technical” stuff, that the client maybe doesn’t know about and doesn’t even want to be bothered with, like canvas/page tab URLs etc. can be set by you. I’d say that’s as good a compromise as you can get for such a scenario.)
I run a video site, and I have lots of videos. My users have requested the "Youtube unlisted" feature. So I when about to try to create it and I am almost done.
This is what I have done so far.
1) Created a secret key which I defined as secret_key = md5(uniqid($VID)).$VID;
2) Allowed the MySQL field secret_key to be updated by the user.
What I am hoping to achieve is to add some instructions in the .htaccess for all videos set to be private. That will only allow users that have access to a private video from a specific link to be able to view the video.
So the link is in the form $baseurl.$secret_key. This link will never clash because the VID is different for every video.
What instructions can I add in my .htaccess file to only allow videos that are set to private to only be accessible via a specific link.
You might be able to hack something together using URL rewriting, redirecting the user to an error page if the key does not match. However, .htaccess files are not designed for dynamic updates like this.
The easiest solution would be to change the names of the files to incorporate the keys, and rename a file whenever its secret key is changed.
The preferred solution would be to make use of whichever server-side scripting language is already in use to block requests based on the result of a database lookup.