.htaccess files are not my strong point.
I have document uploads going to /uploads. The user should be able to view the documents they've just uploaded by clicking on the document link that appears via ajax after uploading is completed.
However, I would like to be able to password protect the /uploads folder BUT still enable the current user to view the clicked document without having a password request appear.
Is this possible to do in .htaccess?
Thanks for any suggestions.
Unless you are using HTTP auth to authenticate your user before the upload, this probably cannot be simply done with just .htaccess. You need to know file's owner and compare it with current user, which is way beyond the scope of usual web server's capabilities.
If you may use Nginx or Lighttpd, you may use X-Accel-Redirect/X-Sendfile header. There's also a module for Apache2 called mod_xsendfile. Make all request to /uploads transparently pass through your application, verify access then tell web server to send file. While this requires the ability to configure the web server (which is sometimes not possible) this is probably the most correct and universal solution.
Here are some useful links:
PHP and Ruby on Rails examples (and some general information on configuration)
Python/Django code snippet
You could use cookie based authentication (mod_auth_cookie) to grant access via htaccess for a particular location.
I am not sure if setting the cookie path to the specific file will work, but its worth a try.
You are better off doing this in the app layer though.
EDIT: This may be a better solution
I don't think this is possible in .htaccess - since .htaccess has no way of knowing which user uploaded which files. Even if it did (e.g. by putting files in uploads/username/), I don't think .htaccess files are the way to go. I think you'll probably want to enforce this at the application level.
Related
I'm working on a website that is generated from a server. I have a php file where I include files that are stored on my computer and are necessary for the code to work. The files that I need are related to google calendar API like my credentials and a link to the API folder just like in the quickstart.php example of google (https://developers.google.com/google-apps/calendar/quickstart/php).
I think that storing these files on the server is not such a good idea. Is there a way for me to link local files from the server in an include or require? Or do I have to put everything on the server? And in that case how do I know the filepath to my files?
I am not in control of the server I just have acces to a small part of it. It is the school server and I'm working on one directory or so from that server so I can't do anything from root or so.
Thanks in advance and if my question is unclear please notify me so I can rephrase it.
If you want to protect the code from exposure, try PHP ionCube Encoder. So someone who has access to the server can't read the code, but still it will run correctly.
You CAN include remote files via HTTP if you can configure the server to set the following in the php.ini.
allow_url_include = On
This is NOT the normal setting as it could leave you more vulnerable to attacks. So this method is not a recommended one, but it is possible.
You should consider setting up an additional account on Google and then using that to work with. You can share the relevant calandars from your personal account with that account and thus protect yourself better.
Create a folder on your server outside of the public html folder. Go one directory above your website route directory and create your folder there. People will not be able to navigate to that new folder as it is outside of your website route. Store your sensitive files in the new folder. Then just require them in your normal files as needed. This protects your sensitive files in the event your PHP handler failed (rare but can happen) as the content of your sensitive files would not be displayed to people as plain text on your website. Remember to set appropriate folder and file ownership and permissions also on your server.
I have password protected a folder using .htpasswd and .htaccess that contains digital assets that I want to control the downloading of using php.
I was planning on offering a download link using the mechanism:
http://username:password#www.website.com/directory/
However, I don't want people to have access to the username and password. In other words I want to make a php gateway file with a different url that decides to offer the download or not, based on information available in the database.
This is a security thing, so I'm not confident of where to start with this. I'm sure I could hash together some code but I'm not confident about it. How can I do this securely? Any help greatly appreciated.
If you have the technical possibility I would suggest you even store the assets outside of the web accessible folders so you don't need to rely on htaccess for protection. That way your PHP gateway script is the only way to access those files.
I won't go into details about writing the script itself, there are multitudes of ways to do that and it very much depends on your requirements what is best, so more information would be needed to give some advice to that. If your assets are very big then streaming them through your script might not work due to memory/time limitations, in that case you could symlink them from the safe location to a public location with a randomly hashed path/filename for a limited time and give that link out.
I have been wondering how secure a codeigniter setup is. Because information like db passwords etc is stored in config files in the main application folder could this be retrievable by hackers? I know you can move the application folder to a location away from the web root but is it still safe if you don't?
Also, even if you did move it some place else, the path to that other place is hardcoded into the index.php file that remains in the web root. I'm sure there is a simple explanation as to why it is safe, but could someone explain it to me?
I suppose that it depends on the hacker and the type of hack they are employing. If you're asking if some Joe Schmoe can view the config file settings from the web, then the answer is no. See Can a Client View Server Side PHP Source Code for more details.
If you're concerned that a hacker will break into your server for that kind of information, then you might want to invest some time in extending or overriding the native Database library and add some encryption for the database information as you read it from the configuration file. Or if you want to go completely hidden on the configuration, you could spend some time extending the Config class.
On the surface, CodeIgniter is as secure as any other PHP framework from the file sense. Place appropriate .htaccess rules and the web side should be just fine. That just leaves proper security of your web server.
Try running Google Skipfish against your app. See if it can sniff any lapses in security. The more likely case is your app using $_GET and $_POST variables directly in views, rather than the framework exposing your app to some risks.
If a site has php session's in place to enforce authentication/authorization to pages on the site which are implemented in php, how does the same logic enforce access to certain files.
Lets say a repository of files in a directory. So /var/www/html/ is protected via authentication however, this PHP authentication logic won't prohibit a user from simply going to http://site.com/someDirectory/fileIShouldNotAccess.txt and pulling that file.
How do you couple the php session and authentication with apache to enforce this type of behavior?
Since PHP won't be invoked when the user requests a non-PHP file, you can't have Apache enforce PHP's access protection. You can make a very coarse and easy-to-fake check in Apache to make sure that a session ID cookie is present, but that's highly insecure. It just checks if the cookie's there, not that it represents a valid session or that the user's actually been granted access.
This other answer might help. Using PHP/Apache to restrict access to static files (html, css, img, etc). Basically, you serve up all the protected content via a PHP script, instead of providing direct access.
A couple answers:
1) make your php sessions use HTTP authentication. Then you can use a .htaccess file to control file access in directories
2) Use mod_rewrite to redirect all requests to a "front controller". Let the front controller manage whether access is allowed, denied, or forwarded to a different controller module for further processing.
You can try HTTP Authentication with PHP. This article might help.
There is this PHP script on my website which I don't want people to be able to run by just typing its name in the browser.
Ideally I would like this script to be run only by registered users and only from within a Windows app (which I will have to provide). Can this be done ?
Alternatively, how can I protect this script so that it can only be called from a specific page or script?
Also how can I hide the exact URI from appearing on the address bar?
Thanks !
If you are running Apache for your webserver, you can protect it with a username/password combo using .htaccess. It takes a little configuration if your server is not already configured to allow .htaccess. Here are the Apache docs.
If you need authentication based on application-specific factors, you can put something at the top of your script like
<?php
if(!$user->isLoggedIn()) {
// do 404
header('HTTP/1.0 404 Not Found');
}
Do you have a question about how you would implement isLoggedIn?
You can also use mod_rewrite to rewrite URIs, and those directives can go inside your .htaccess as well. mod_rewrite can rewrite incoming requests transparently (from the browser's perspective) so a request for /foo/bar can be translated into secret_script.php/foo/bar. Docs for mod_rewrite.
However you decide to implement this, I would urge you to not rely solely on the fact that your script's name is obscure as a means to secure your application. At the very least, use .htaccess with some per-user authentication, and consider having your application authenticate users as well.
As Jesse says, it's possible to restrict your script to logged in users. There are a large number of questions on this already. Search for PHP authentication.
However, it is not possible to restrict it to a single application. It is fairly simple to use a program like Wireshark to see exactly how the program logs in and makes request. At that point, they can reproduce its behavior manually or in their own application.
There are a variety of different ways that you could go about securing a script. All have pluses and minuses, and its likely that the correct answer for your situation will be a combination of several.
Like mentioned, you could lock down the account with Apache...it's a good start. Similarly, you could build a powerful 'salt-ed' security system such as this: http://www.devarticles.com/c/a/JavaScript/Building-a-CHAP-Login-System-An-ObjectOriented-Approach/ If you use SSL as well, you're essentially getting yourself security like banks use on their websites--not perfect, but certainly not easy to break into.
But there are other ideas to consider too. Park your script in a class file that sits inaccessible via direct URI, then do calls to the various functions from an intermediary view script. Not perfect, but it does limit the ways that someone could directly access the file. Consider adding a "qualifier" to the URL via a simple get--have the script check for the qualifier or fail....again, not a great solution on its own, but one additional layer to dissuade the bad guys. If you have control of who's getting access (know exactly which networks) you could even go so far as to limit the IP's or the http referers that are allowed to access the file. Consider setting and checking cookies, with a clear expiration. Don't forget to set your robots file so the browsers don't stumble upon the script your trying to protect.
A while back my company did a membership app using Delphi on the front end, talking to php and MySql on the backend....it was a bit clunky given that we were all web application developers. If you're so inclined, perhaps Adobe Flex might be an option. But ultimately, you'll have to open a door that the application could talk to, and if someone was determined, theoretically they could dig through your app to find the credentials and use them to gain instant access to the site. If you're going the desktop app route, perhaps its time to consider having the app avoid talking to an intermediary script and do its work on the local machine, communicating the db that sits remote.
you can use deny access on .htaccess on a folder with a php authentification that will redirect to those php file