Page 1 of 1

security issue with htaccess and php, need help

Posted: Tue Mar 21, 2006 11:18 am
by hurdy gurdy
Hi all,

I help run a media heavy webite that restricts users from directly accessing content without a username/pass. Until recently the site has been pretty low key and hasn't attracted many people that would try to circumvent the login function. However, I have noticed lately that the usernames and passwords are being passed around on different sites where the login info is in the web address itself (http://username:password@www.example.co ... gename.php).

I have added some code to the site that looks at the URL and if it detects that it was accessed from outside of my server the user is redirected to a registration page. However, the user is still considered logged on with that user/pass and can navigate through the site to the restricted page (if they bohered to try).

Is there a means, using PHP, to ensure that I can eliminate their ability to navigate through the site until they have registered? Somehow destroying their session maybe?

It should be noted that the protected files are in a folder with an .htaccess file in it. I am completely ignorant when it comes to handling that stuff and any information would be extremely helpful.

Thanks!

Posted: Tue Mar 21, 2006 11:33 am
by Weirdan
Is there a means, using PHP, to ensure that I can eliminate their ability to navigate through the site until they have registered?
Well, if it's a password sharing issue, you can do nothing about it. However you prevent it, people will share their account details... unless they have strong reason for not doing so.

Posted: Tue Mar 21, 2006 11:36 am
by chadillac
$_SESSION's ;)


just have it store a trigger in the session $isRegistered = 1 or 0 ... if 0 (you can't view this) ... if 1 (heres your video) and is registered is set to 0 until the user logs in officially.



as for stopping people from sharing their login info.... set some private information viewable upon login ..... if people know that they give out their password but in turn could lose the abilitiy to login to their own account because someone changed their password or something along those lines ... i would think this would prevent some sharing... another approach would be to check IP's possibly or sessions ... if multiple sessions are open for one user something is probably fishy, or if multiple IPs are simultainiously connected to the same user account, this could also be fishy...


maybe I'm missing something, but they are approaches I would take