/    Sign up×
Community /Pin to ProfileBookmark

Securing content behind login page

Copy linkTweet thisAlerts:
Feb 17.2013

I am the webmaster/designer (no cms) of [url]www.champlainvalleyhog.com[/url].

We have a login page for content which is not supposed to be accessible from
anyone other than members, but, if you know the physical file path of the documents
in question, you can still get to them such as:

[url]http://www.champlainvalleyhog.com/secure/login.php[/url] (login page)

[url]http://www.champlainvalleyhog.com/secure/membersonly/2013/2013-01.doc[/url] (path that you should not be able to get to without logging in)

Thanks in advance!

to post a comment
PHP

7 Comments(s)

Copy linkTweet thisAlerts:
@russelvasquezFeb 18.2013 — Hi there,

I think the best solution was to create one page with link and then embed a script that will redirect to login.

like this <?php

if (isset($_POST['field'])){

'allowed

}

else {

header ('location: login.php');

}

?>

I hope it will help you. ?
Copy linkTweet thisAlerts:
@vtdev2013authorMar 03.2013 — Maybe I did not specify clearly.

I already have:

<?PHP

require_once("./include/membersite_config.php");

if(isset($_POST['submitted']))

{

if($fgmembersite->Login())

{

$fgmembersite->RedirectToURL("login-home.php");

}

}

?>

.....which prevents unauthorized access to my php files.

I need to prevent access to all files below wwwroot/secure/membersonly which are pdf, doc, xls, etc.


Thanks again!
Copy linkTweet thisAlerts:
@NogDogMar 03.2013 — You need to create a file-server script, and put the actual files outside of the docroot (or in a directory tree where you prohibit access via the web server settings). Then you put your access control within the file server script, so it won't serve anything up if access is not granted.
Copy linkTweet thisAlerts:
@vtdev2013authorMar 03.2013 — While searching for a wide range of options, I found this.........which works

Still trying to figure out how.


AuthUserFile /dev/null

AuthGroupFile /dev/null

RewriteEngine On

RewriteCond %{HTTP_REFERER} !^http://www.champlainvalleyhog.com.*">http://www.champlainvalleyhog.com.* [NC]

RewriteCond %{HTTP_REFERER} !^http://.champlainvalleyhog.com/secure.* [NC]

RewriteCond %{HTTP_REFERER} !^http://champlainvalleyhog.com.*">http://champlainvalleyhog.com.* [NC]

RewriteCond %{HTTP_REFERER} !^http://www.champlainvalleyhog.com/secure.* [NC]

RewriteRule /* http://www.champlainvalleyhog.com/index.php [R,L]
Copy linkTweet thisAlerts:
@NogDogMar 03.2013 — I suspect that can be defeated by anyone who knows how to set the HTTP_REFERER header (such as any PHP developer using the cURL functions ? ).
Copy linkTweet thisAlerts:
@AK223Mar 08.2013 — If you're looking for some help with securing information in mobile development, I believe there are some solid resources here to assist you. I know I've had plenty of worries about securing user information especially in our new mobile era which is prone to information theft. http://www.verious.com/board/Giancarlo-Leonio/mobile-security-and-privacy/
Copy linkTweet thisAlerts:
@kerrylinuxMar 09.2013 — Your members have to get some secret information after logging in that distinguishes them from ordinary users of your website. Put your members-only stuff outside the web server tree and check if a user can present the secret information when he tries to access a members-only file name. Change the secret information with every login attempt.
×

Success!

Help @vtdev2013 spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 6.18,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @nearjob,
tipped: article
amount: 1000 SATS,

tipper: @meenaratha,
tipped: article
amount: 1000 SATS,

tipper: @meenaratha,
tipped: article
amount: 1000 SATS,
)...