security issue with htaccess and php, need help
Posted: Tue Mar 21, 2006 11:18 am
Hi all,
I help run a media heavy webite that restricts users from directly accessing content without a username/pass. Until recently the site has been pretty low key and hasn't attracted many people that would try to circumvent the login function. However, I have noticed lately that the usernames and passwords are being passed around on different sites where the login info is in the web address itself (http://username:password@www.example.co ... gename.php).
I have added some code to the site that looks at the URL and if it detects that it was accessed from outside of my server the user is redirected to a registration page. However, the user is still considered logged on with that user/pass and can navigate through the site to the restricted page (if they bohered to try).
Is there a means, using PHP, to ensure that I can eliminate their ability to navigate through the site until they have registered? Somehow destroying their session maybe?
It should be noted that the protected files are in a folder with an .htaccess file in it. I am completely ignorant when it comes to handling that stuff and any information would be extremely helpful.
Thanks!
I help run a media heavy webite that restricts users from directly accessing content without a username/pass. Until recently the site has been pretty low key and hasn't attracted many people that would try to circumvent the login function. However, I have noticed lately that the usernames and passwords are being passed around on different sites where the login info is in the web address itself (http://username:password@www.example.co ... gename.php).
I have added some code to the site that looks at the URL and if it detects that it was accessed from outside of my server the user is redirected to a registration page. However, the user is still considered logged on with that user/pass and can navigate through the site to the restricted page (if they bohered to try).
Is there a means, using PHP, to ensure that I can eliminate their ability to navigate through the site until they have registered? Somehow destroying their session maybe?
It should be noted that the protected files are in a folder with an .htaccess file in it. I am completely ignorant when it comes to handling that stuff and any information would be extremely helpful.
Thanks!