security issue with htaccess and php, need help

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
hurdy gurdy
Forum Commoner
Posts: 40
Joined: Mon Jun 09, 2003 8:19 pm

security issue with htaccess and php, need help

Post by hurdy gurdy »

Hi all,

I help run a media heavy webite that restricts users from directly accessing content without a username/pass. Until recently the site has been pretty low key and hasn't attracted many people that would try to circumvent the login function. However, I have noticed lately that the usernames and passwords are being passed around on different sites where the login info is in the web address itself (http://username:password@www.example.co ... gename.php).

I have added some code to the site that looks at the URL and if it detects that it was accessed from outside of my server the user is redirected to a registration page. However, the user is still considered logged on with that user/pass and can navigate through the site to the restricted page (if they bohered to try).

Is there a means, using PHP, to ensure that I can eliminate their ability to navigate through the site until they have registered? Somehow destroying their session maybe?

It should be noted that the protected files are in a folder with an .htaccess file in it. I am completely ignorant when it comes to handling that stuff and any information would be extremely helpful.

Thanks!
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

Is there a means, using PHP, to ensure that I can eliminate their ability to navigate through the site until they have registered?
Well, if it's a password sharing issue, you can do nothing about it. However you prevent it, people will share their account details... unless they have strong reason for not doing so.
chadillac
Forum Newbie
Posts: 12
Joined: Tue Feb 28, 2006 3:30 pm
Location: Fort Lauderdale

Post by chadillac »

$_SESSION's ;)


just have it store a trigger in the session $isRegistered = 1 or 0 ... if 0 (you can't view this) ... if 1 (heres your video) and is registered is set to 0 until the user logs in officially.



as for stopping people from sharing their login info.... set some private information viewable upon login ..... if people know that they give out their password but in turn could lose the abilitiy to login to their own account because someone changed their password or something along those lines ... i would think this would prevent some sharing... another approach would be to check IP's possibly or sessions ... if multiple sessions are open for one user something is probably fishy, or if multiple IPs are simultainiously connected to the same user account, this could also be fishy...


maybe I'm missing something, but they are approaches I would take
Post Reply