WampServer
Apache, PHP, MySQL
on Windows
Protecting Web-Accessible Directory and Subcontents
Posted by:
skfriese
(---.241.33.65.cfl.res.rr.com)
Date: October 26, 2007 10:23PM
Is there any way to restrict access to the content within a web-accessible folder using the login details contained within a PHP session? Please read scenario below before replying. 
I have an existing CodeIgniter application that happens to serve up web accessible content. Users are required to login to view the content, and their sessions are managed through DB-based PHP sessions. This all works fine, for the most part. However, it is still possible to access the web-accessible content directly by bypassing the CodeIgnitor application altogether and entering the URL to the content within the browsers address bar.
Now, the reason why this is now a problem is that there was never a requirement to lock down the content. The application merely tracks the users progress through the content using AJAX if the user is logged into the application. No such progress is tracked if accessed outside of the application. No big deal, but the client wishes to lock this content down now, and only allow those logged into the system to access it.
Being familiar with htaccess/htpasswd, I am able to restrict access to main content folder, but then the users must login again to launch the content. Thus my question above. Is there any way to set the $_SERVER[PHP_AUTH_USER] or $_SERVER[PHP_AUTH_PW] through PHP, so that I can set the HTTP authentication criteria when the user logs into the application? Im also familiar with passing requests to the content using a proxy PHP script and authenticating that way instead, but that is not an option with this type of content as it is structured.
Any direction is greatly appreciated. Ive attempted some serious Google-Fu over the past couple of days with no luck so far.
I have an existing CodeIgniter application that happens to serve up web accessible content. Users are required to login to view the content, and their sessions are managed through DB-based PHP sessions. This all works fine, for the most part. However, it is still possible to access the web-accessible content directly by bypassing the CodeIgnitor application altogether and entering the URL to the content within the browsers address bar.
Now, the reason why this is now a problem is that there was never a requirement to lock down the content. The application merely tracks the users progress through the content using AJAX if the user is logged into the application. No such progress is tracked if accessed outside of the application. No big deal, but the client wishes to lock this content down now, and only allow those logged into the system to access it.
Being familiar with htaccess/htpasswd, I am able to restrict access to main content folder, but then the users must login again to launch the content. Thus my question above. Is there any way to set the $_SERVER[PHP_AUTH_USER] or $_SERVER[PHP_AUTH_PW] through PHP, so that I can set the HTTP authentication criteria when the user logs into the application? Im also familiar with passing requests to the content using a proxy PHP script and authenticating that way instead, but that is not an option with this type of content as it is structured.
Any direction is greatly appreciated. Ive attempted some serious Google-Fu over the past couple of days with no luck so far.
Re: Protecting Web-Accessible Directory and Subcontents
Posted by:
CyberSpatium
(---.hsd1.or.comcast.net)
Date: October 27, 2007 11:26PM
if you are going to host a production website on wamp, you need to think about securty.wamp comes with none, so you will have to do everything yourself. and dont think just because you have a firewall and antivirus you are safe. a firewall and antivirus will not sql injection, cross site scripting, crlf injection, directory traversal, authentication hacking, ajax security and more.
securing your code is only half the battle. you still need to secure apache, mysql, php, and your webserver.
[www.devshed.com]
[forums.devnetwork.net]
[www.acunetix.com]
[www.acunetix.com]
[www.acunetix.com]
[www.acunetix.com]
CyberSpatium
----------------------
WAMP English Forum Admin
I have WAMP5 working with (for development use only):
Windows Vista Ultimate x64 (64 bit)
Kaspersky Internet Security Suite 7.0.x
Spyware Terminater 2.x
CounterSpy 2.5.x
Need help? Check out my WAMP User Manual/Guide here!
Web Development for Newbie's Blog - Check out my new blog. It is for web developers, and especially tailored for the web development newbie. If you are not fluent in geek speak, then this incredible resource is just you. And even if you are a web development pro, this is a great resource to check out some of the latest web development tips, news, tutorials, codes and more.
securing your code is only half the battle. you still need to secure apache, mysql, php, and your webserver.
[www.devshed.com]
[forums.devnetwork.net]
[www.acunetix.com]
[www.acunetix.com]
[www.acunetix.com]
[www.acunetix.com]
CyberSpatium
----------------------
WAMP English Forum Admin
I have WAMP5 working with (for development use only):
Windows Vista Ultimate x64 (64 bit)
Kaspersky Internet Security Suite 7.0.x
Spyware Terminater 2.x
CounterSpy 2.5.x
Need help? Check out my WAMP User Manual/Guide here!
Web Development for Newbie's Blog - Check out my new blog. It is for web developers, and especially tailored for the web development newbie. If you are not fluent in geek speak, then this incredible resource is just you. And even if you are a web development pro, this is a great resource to check out some of the latest web development tips, news, tutorials, codes and more.
Sorry, only registered users may post in this forum.
