views:

111

answers:

3

First of all, I would like to say that I have used the search box looking for a similar question and was unsuccessful, maybe because of my poor english skills.

I have a a 'homemade' framework. I have certain PHP files that must only be visible for the admin. The way I currently do this is check within every single page to see if a session has been opened. If not, the user gets redirected to a 404 page, to seem like the file which has been requested doesn't exist.

I really don't know if this is guaranteed to work or if there's a better and more safe way because I'm currently working with kind of confidential data that should never become public.

Could you give me some tips? Or leave a link where I could find some?

Thank you very much, and again excuse me for kicking the dictionary.

EDIT

What I usually write in the top of each file is something like this

<?php
include("sesion.php");
$rs=comprueba(); //'check'

if ($rs) { 
?> 

And then, at the end

<?php 
}
else { header("Location: err404.html"); }
?>

Is it such a butched job, isn't it?

EDIT

Let's say I have a customers list in a file named customers.php

That file may be currently on http://www.mydomain.com/admin/customers.php and it must only be visible for the admin user. Once the admin user has been logged in, I create a session variable. That variable is what I check on the top of each page, and if it exists, the customers list is shown. If not, the user gets redirected to the 404 page.

Thank you for your patience. I really appreciate.

+5  A: 

Apologies if I'm incorrect in interpreting your question but I think you're asking the best way to protect individual PHP pages used in the framework from people typing in the URL to view them?

If so, the best route I've found is to declare a constant in your master file (usually index.php).

<?php
define( '_MYAPP', 1 );

Then, at the top of each PHP file (before you define your classes) put -

<?php
defined( '_MYAPP' ) or die( 'No access.' );
Jarrod
I *think* that's what he's asking...
Josh
Yes.. that's it.. and thank you for your comment Josh
Hermet
Thank you Jarrod, your way is much simpler than which I usually use.
Hermet
@Hermet: Please note that what @Jarrod is explaining how to do is different from what I now understand your question to be asking.
Josh
It's just a different way.. the constant can be declared when the admin has logged on and then check that constant in each file.. however, I will keep using this way (kind of descripted by dabito) if you guys say that it's actually safe. Thanks a lot!!
Hermet
@Hermet: Defining a constant like this is useful to protect the user from accessing specific pages they should never access, so if your `admin.php` page included `functions.php`, you could check for a define in `functions.php` to see if `admin.php` was loaded first. This prevents people from going to `functions.php` in their browser.
Josh
Ditto @Josh. This method is only good for preventing people running files that are never meant to be run. Another tip along these lines - in each folder of your framework have an "index.html" - this will keep people from getting a directory listing of your framework if you don't already have Apache/IIS configured to block such views.
Jarrod
+3  A: 

I strongly recommend you use sessions.

Now, i think there's two ways to do this.

Easiest way I can think of is: make a session.php file and include/require it in every file in your application.

In this session.php do a session check for security tokens you can define when the user succesfully logs in (preferably an encrypted salted string).

Edit: What I do in session.php file is die(); or redirect with header(); if no correct session is detected.

If you want, you can add an array of "public" files so that session check is skipped if one of those files is currently being executed.

The other harder way to do this (still using sessions and token verification) would be creating a dispatcher file that checked sessions and then redirected requests to a view that rendered the requested action.

If security is vital in your app, You should read this guide: PHP Security Guide: Overview by the php security consortioum.

dabito
+1: This answers a fundamentally different issue from @Jarrod's question, but the issue you're addressing, @dabito, you're addressing well. Again I can't tell which one the question is asking about...
Josh
Thanks dabito, what could I use instead of sessions?@Josh, I've eddited the former question with the current way I am using. That may explain better what I want to do. Thanks.
Hermet
@Hermet: Thanks for the clarification, I understand perfectly what you want to do and @dabito's answer is the one which does what you want.
Josh
I edited the answer after reading your code. You can just die(); or redirect using headers in your session.php file if session is detected and then avoid the use of the "if" you have there.
dabito
@dabito: I think he specifically wants to throw a 404 for security through obscurity, that is, `die('access denied')` gives away that this is a protected resource, a 404 makes it appear that the URL is invalid when in fact it's valid, just not for *that user*
Josh
Exactly. @Josh, May I hire you as my personal translator? :-D
Hermet
@Hermet: Sure! But my discounted rate of $0.00/hour is only for StackOverflow ;-)
Josh
Thank you all guys!!
Hermet
+2  A: 
<?php
$logged_in = 'no';
include("session.php"); // changes $logged_in to yes if logged in

if($logged_in == 'no'){
header("Location: login.php?error=notloggedin");
exit;
}
?>

you can either put this at the top of all of your pages, or simply put this in your session.php file, or make a header.php file to include in all pages.

Derek
What if I block `Location` header in my browser? You should add `exit;` after `header()`.
Crozin
very true, good looks. updated the code.
Derek
@Derek: Nice, now it's good for a +1 (tomorrow when I get more votes :-)
Josh