Page 1 of 1

Keeping html files private

Posted: Sun Nov 06, 2005 4:05 am
by bladecatcher
G'day All,
I'm using sessions to manage access to private content on our site.
However, the "content" is in html files and included using what I call templates.
A clever outsider could easily circumvent the session security by calling the page directly.
How would you suggest I keep these private pages private?
(note# I can't use session control because these are included by the templates which use sessions).

Thanking you in anticipation,
blade

Posted: Sun Nov 06, 2005 7:06 am
by BZorch
I have been saving my includes in a folder outside of the public/webroot folder.

include ('../folder_outside_of_www_folder/header.html');

This is like the protocol for storing MYSQL connection scripts. As far as I understand, no one could access the files if they are outside of the public folder/www.

Posted: Sun Nov 06, 2005 7:56 am
by RobertGonzalez
Any files that I do not want users to be able to access directly that I CAN'T put outside the root folder I turn into PHP files with security checks in the beginning. Something like checking to see if a page var is set or a session var is set. If not, the you throw in a die(). Otherwise let it load by the script.

Posted: Sun Nov 06, 2005 9:15 am
by TJ
As the pages that can be accessed directly are HTML, PHP doesn't get involved so any security measures you take on those need to be done from the HTTP server.

Simple basic authorisation using .htaccess (on Linux) or ACLs on Windows (removing the read permission for the IUSR_MACHINENAME for .HTM/HTML files and setting PHP to run under a named account).

You can't use referrer checking with something like Authentix because that can be faked easily.

Or, as has been said by BZorch, you could move the HTML files out of the web folders completely.