tags:

views:

111

answers:

3
+2  Q: 

What's the best technique to protect my framework from visitors who are not logged in?

First of all, I would like to say that I have used the search box looking for a similar question and was unsuccessful, maybe because of my poor english skills.

I have a a 'homemade' framework. I have certain PHP files that must only be visible for the admin. The way I currently do this is check within every single page to see if a session has been opened. If not, the user gets redirected to a 404 page, to seem like the file which has been requested doesn't exist.

I really don't know if this is guaranteed to work or if there's a better and more safe way because I'm currently working with kind of confidential data that should never become public.

Could you give me some tips? Or leave a link where I could find some?

Thank you very much, and again excuse me for kicking the dictionary.

EDIT

What I usually write in the top of each file is something like this

<?php
include("sesion.php");
$rs=comprueba(); //'check'

if ($rs) { 
?>

And then, at the end

<?php 
}
else { header("Location: err404.html"); }
?>

Is it such a butched job, isn't it?

EDIT

Let's say I have a customers list in a file named customers.php

That file may be currently on http://www.mydomain.com/admin/customers.php and it must only be visible for the admin user. Once the admin user has been logged in, I create a session variable. That variable is what I check on the top of each page, and if it exists, the customers list is shown. If not, the user gets redirected to the 404 page.

Thank you for your patience. I really appreciate.

+5  A: 

Apologies if I'm incorrect in interpreting your question but I think you're asking the best way to protect individual PHP pages used in the framework from people typing in the URL to view them?

If so, the best route I've found is to declare a constant in your master file (usually index.php).

<?php
define( '_MYAPP', 1 );

Then, at the top of each PHP file (before you define your classes) put -

<?php
defined( '_MYAPP' ) or die( 'No access.' );
Jarrod  2010-05-21 21:05:12
I *think* that's what he's asking...
Josh  2010-05-21 21:06:34
Yes.. that's it.. and thank you for your comment Josh
Hermet  2010-05-21 21:14:55
Thank you Jarrod, your way is much simpler than which I usually use.
Hermet  2010-05-21 21:16:08
@Hermet: Please note that what @Jarrod is explaining how to do is different from what I now understand your question to be asking.
Josh  2010-05-21 21:37:51
It's just a different way.. the constant can be declared when the admin has logged on and then check that constant in each file.. however, I will keep using this way (kind of descripted by dabito) if you guys say that it's actually safe. Thanks a lot!!
Hermet  2010-05-21 21:45:27
@Hermet: Defining a constant like this is useful to protect the user from accessing specific pages they should never access, so if your `admin.php` page included `functions.php`, you could check for a define in `functions.php` to see if `admin.php` was loaded first. This prevents people from going to `functions.php` in their browser.
Josh  2010-05-21 21:55:27
Ditto @Josh. This method is only good for preventing people running files that are never meant to be run. Another tip along these lines - in each folder of your framework have an "index.html" - this will keep people from getting a directory listing of your framework if you don't already have Apache/IIS configured to block such views.
Jarrod  2010-05-24 14:37:23
+3  A: 

I strongly recommend you use sessions.

Now, i think there's two ways to do this.

Easiest way I can think of is: make a session.php file and include/require it in every file in your application.

In this session.php do a session check for security tokens you can define when the user succesfully logs in (preferably an encrypted salted string).

Edit: What I do in session.php file is die(); or redirect with header(); if no correct session is detected.

If you want, you can add an array of "public" files so that session check is skipped if one of those files is currently being executed.

The other harder way to do this (still using sessions and token verification) would be creating a dispatcher file that checked sessions and then redirected requests to a view that rendered the requested action.

If security is vital in your app, You should read this guide: PHP Security Guide: Overview by the php security consortioum.

dabito  2010-05-21 21:13:39
+1: This answers a fundamentally different issue from @Jarrod's question, but the issue you're addressing, @dabito, you're addressing well. Again I can't tell which one the question is asking about...
Josh  2010-05-21 21:16:57
Thanks dabito, what could I use instead of sessions?@Josh, I've eddited the former question with the current way I am using. That may explain better what I want to do. Thanks.
Hermet  2010-05-21 21:21:30
@Hermet: Thanks for the clarification, I understand perfectly what you want to do and @dabito's answer is the one which does what you want.
Josh  2010-05-21 21:33:00
I edited the answer after reading your code. You can just die(); or redirect using headers in your session.php file if session is detected and then avoid the use of the "if" you have there.
dabito  2010-05-21 21:52:38
@dabito: I think he specifically wants to throw a 404 for security through obscurity, that is, `die('access denied')` gives away that this is a protected resource, a 404 makes it appear that the URL is invalid when in fact it's valid, just not for *that user*
Josh  2010-05-21 21:56:51
Exactly. @Josh, May I hire you as my personal translator? :-D
Hermet  2010-05-21 21:59:09
@Hermet: Sure! But my discounted rate of $0.00/hour is only for StackOverflow ;-)
Josh  2010-05-21 22:00:56
Thank you all guys!!
Hermet  2010-05-21 22:02:16
+2  A:  
<?php
$logged_in = 'no';
include("session.php"); // changes $logged_in to yes if logged in

if($logged_in == 'no'){
header("Location: login.php?error=notloggedin");
exit;
}
?>

you can either put this at the top of all of your pages, or simply put this in your session.php file, or make a header.php file to include in all pages.

Derek  2010-05-21 21:50:53
What if I block `Location` header in my browser? You should add `exit;` after `header()`.
Crozin  2010-05-21 21:54:22
very true, good looks. updated the code.
Derek  2010-05-21 22:04:08
@Derek: Nice, now it's good for a +1 (tomorrow when I get more votes :-)
Josh  2010-05-21 22:12:52

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases