I'm using SimpleCMS to allow the client to make simple textual changes to their website; however, I'm having some issues here as part of the website is password protected through setting a PHP $_SESSION variable. From this secure page, an if(!isset) is run on this $_SESSION variable to allow or disallow viewing.
Simple CMS works by logging in to www.contenteditor.net and it loads the pages into some sort of frame (I use the word frame loosely). What I want to know is, in addition to my if(!isset) test, is there a way to see if the current domain is contenteditor.net and allow them access?
Any Help is appreciated,
Dan
$_SERVER['SERVER_NAME'] and parse?
Use $_SERVER['HTTP_HOST'] to check your host address and $_SERVER['SERVER_NAME'] could also be used.
If it's in a frame, then no, there's no secure way to do this based on the domain name.
What you could do is, in your authorization code, also allow some kind of URL authorization in addition to the sessions.
When your code editing site opens the page to edit it, append that identifying information to the URL (?auth_token=abcde). You might use a database to generate these tokens from the editor application and read them from the website application, for example. Then the page can be displayed without going through a login form on the website.
Related
I searched for the answer for my question but I couldn't find exactly what I wanted.
If you find a duplicate of this please send me it!
I have a couple of files in my website that are used to do background functions that I don't want anyone to access them- not even the admin. for example files like PHPMailer.php, login-inc.php logout-inc.php and more.
I need a way to prevent anyone from accessing those pages and not prevent them from working when triggered by buttons/forms.
I'm aware that using a session can redirect not logged users, although, here, I need to prevent everyone from accessing the pages by redirecting them or sending them to a 404 page.
what do I need to use to do that?
thanks!
Update: I'm very new to web coding so sorry for the confusing question, I wanted to block users from entering some pages by entering their location with a link for example I don't want users to be able to access tokens/passwords...
Using .htaccess solves my problem. thank you.
One way to protect your files to be called by web server is to move them out of site webroot directory. That way there is no way that someone access the with web browser and you still can include them. It's common solution.
Other way is to intercept web server requests and i.e. forbid some of them, redirect some others and so on. I.e for Apache web server you can do that inside .htaccess file. You have to allow that in website settings.
For your specific case, with those buttons:
You'll have to use .htaccess (or equivalent) to intercept all requests to those files. Then redirect those request to some php script, with also saving passed parameters.
Then your PHP script should decide what to do with that request...reject it (redirect to 404 page) or allow access.
For that your buttons, should pass some kind of pass code. So your PHP script can check, when it's called if valid pass code is provided (allow access) or not (redirect to 404).
Now making that pass code that can't be manipulated could be tricky, but generally you must invent some formula to generate them (based i.e. on current time) so PHP script could you the same formula to check it's validity.
Other way is to i.e. to do some JS action when button is pressed (i..e write some cookie) and PHP script will check for that JS action result (cookie exists or not).
I have a webservice (abc.com) for my company with an own user database and it is working just fine. Now my company wants to add some additional services which are located on a completly different server with another domain (xyz.com) but still use the same login data from abc.com because we have complete control over it and there are going to be similar servers like xyz.com so it is out of question to just import the user database on xyz.com.
My first thought was to use my checkuser.php from abc.com while submitting the login form from xyz.com but then I learned that the session cookie stuff is bound to the domain. At least that is how I understood it.
After that I wanted to access my checkuser.php via AJAX and HTTPS and submit the session data encrypted via POST to xyz.com. That failed too as AJAX seems not to work across multiple servers for security reasons.
Now I am out of ideas and dont know how I can securly authenticate out users on the foreign servers using our user database.
I would use single sign on (SSO) in stead of a shared session. That way, you don't make the sites code dependent on each other. If you later decide to change something on one of the sites, there is less reason to worry about breaking functionality on the other sites, and if you choose to link in a new site you are able to reuse the same solution.
What's better is that someone already made it for you, and it may even be more secure that what you'll be able to create yourself.
Wikipedia has some good general knowledge on SSO. Also, look into OAuth and OpenID. Combine these terms with PHP and a search should get you on the right track.
Another option is to simply have the login function on xyz.com connect directly to the database of abc.com to check the login name and password. Then you use xyz.com's database for everything else. Also if you really wanted to you could store the session information in your database on abc.com instead of a temporary file then you can also access that data from xyz.com. Here is an example of how to do this.
I haven't been working with php very long and have not encountered this problem myself, however, I've been hitting the books hard and came across an answer that my help you out.
If you are just trying to access the scripts and DB on server xyz.com, you can literally grab the content of a script using its url or IP address from within a script located on a separate server (abc.com) using the following function:
/* This example allows my example script on server mvc.com
to access the script on oreilly.com */
file_get_contents("http://oreilly.com");
Since you are accessing the code remotely, and I'm taking a shot in the dark here, I think that file_get_contents ( ) would allow you to set variables via $_POST or $_GET methods from the script on server xyz.com and send the values to the script on server abc.com. From there, you could then store these variables inside $_SESSION variables located on a single server, which ever server that handles the original $_SESSION variables and most of the processing.
It could become a quite complex 'game of catch' between the servers if you need to go back and forth frequently, but I think it may be a way around your problem if you can't move the data onto a single server. If you plan the structure of your scripts well this would allow you to store those $_SESSION variables all in a single place.
i've a jquery script which post/get data to .php script. but i wanna prevent direct access to the php script. for example if the user look at the html source code,they will be able to access the php script directly by copying the url from the js file and i dont want that. how do i prevent users from doing that?? i want the user to use it via the html UI. i've google but found no link on this. however, i did notice that some popular websites are able to do that. how should i go about doing this??
It seems like a simple redirect is what you're looking for here.
Add something like this to the top of your php file. This will prevent the page from being accessed if the proper post has not been made. Of course you'll have to change the post and redirect to content more relevant to your project.
if (!isset($_POST['data'])) {
header('Location: your-redirect-location');
}
You may also be able to redirect based on the $_SERVER['HTTP_REFERER'] variable.
EDIT: I was going to explain this in a comment but it's too long. I should note that this is a simple solution. It will keep people from accidentally accessing your script. It's really difficult to create a 100% secure solution for your issue, and if somebody really wants to access it, they will be able to. If you don't have anything secure in the script in question, this will be fine. Otherwise, you'll have to look for an alternative.
Here is one solution:
<?php
if(isset($_POST["post_var]))
{
//to the code you want to do when the post is made
}
else
{
//do what you want to do when the user views the post page
}
?>
how do i prevent users from doing that?
You can't - all you can do is mitigate the risk people can fiddle with your script. Making sure you have the right HTTP_REFERER and/or POST data are both useful in that regard: a "malicious" user would need more than pointing her browser to the URL.
More techniques can be used here:
using session variables: you might not want users that are not logged in - if applicable - to use the URL.
using a one-time challenge (token): you can place a value in the HTML page and have the JS code send this value along with the POST request. You store this value in the session when it is generated. Checking the POSTed token against the session token guarantees the user has at least "seen" the HTML page before submitting data - this can also be useful to prevent duplicate submissions.
However, remember that anything a browser can do, people can do it as well. All these techniques can prevent the curious from doing harm, but not the malicious.
All you can do is making sure nobody can really harm you, and in this regard, your Ajax URL is no different than any other URL of your site: if it's publicly reachable, it has to be secured using whatever technique you already use elsewhere - sessions, user rights, etc.
After all, why should you care that users use this URL not using a browser ? You might want to think of it in terms of an API call that, incidentally, your page happens to use.
Your problem is similar to and has the same problems as a cross site request forgery.
To reduce your risk, you can check the request method, check the referrer, and check the origin if set. The best way is to have a secret token that was generated on the server that the client transmits back in every request. Since you're dealing with friendly users who have access to your live code, they may be able to debug the script and find the value, but it would only be for one session and would be a real hassle.
I have a secure site with private information that uses https. We have a partnership with another site that provides functionality for our users. We want the header and footer to be the same, but the body functionality to come from their site. I thought I'd create a template file that they can request from our server, which would allow me to keep creative control for whenever our site has changes.
However, the header has account information, so it needs to access the session information for the current user. So number one, is this possible? If a user clicks from my site to theirs and they request the template from our servers, how can it be sure to connect to the correct session? And number two, is this safe? How can I be sure this connection is secure?
Edit: It appears this option is not worth pursuing. I'm going to work on some other ways for the other server to access the information. Thanks.
What you are trying to do in that way is a completely mess.
You should avoid outtputting a page built from different website putted all togheter.
That would become:
Hard to maintain;
Prone to security hole.
If you want the file on your site to be a template, it should be only that. Have the other site add the information to the header after fetching it.
I think for what you are doing, the only option you have to is to redirect any request through your server acting as a proxy to maintain session vars without causing to many security holes.
I would like to enable an "auto login" button for my users. By pressing the button the users will be logged in to a different site with the username and password that I have added inside the code.
My site uses php and this site is written on asp.
Is this possible?
Thanks in advance
You'd have to use CURL in PHP in order to send the POST data to your ASP script in the remote site.
Nevertheless, the ASP site might have some inner-validations which can lead to refuse your request, it's worth a try, though!
To set CURL to user POST, check out the setopt CURL function options, you have to set the CURLOPT_POST option to TRUE, but you might find that (depending on the ASP site), you need to activate/deactivate other options.
Cheers!
This depends on the website you're trying to login to.
In a website not using a key-based system for each visitor this can be achieved pretty easily.
First navigate to the page yourself that contains the login form and show it's page source.
Jot down every <input>-tag's name and value and determine which one is the username & password. Also note the form's action to see where the data is going towards.
Now you can use curl to send a user to the website, just inject the post data and apply your own username & password to it.
A. If you don't own the remote site:
Have you tried to post your authentication parameters directly to the ASP.net page? Then you could also try using CURL but either way, be rest assured that the site owner might lock you out anytime by implementing simple CSRF protection.
B. If you own the remote site:
You can share sessions with a unique key using a common database.