Securing PHP webpage/url access

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
dv_evan
Forum Commoner
Posts: 42
Joined: Wed Apr 09, 2008 8:23 am

Securing PHP webpage/url access

Post by dv_evan »

Dear All,

How can I secure my webpage url from outsider getting to see my pages, for example,
http://www.website/mypage.php.
Now anyone can logon to my website and access these pages, assuming these pages were intended for only me to access. How can I prevent anyone from just typing in the url (http://www.website/mypage.php) and accessing my page?

I'll appreciate all help and suggestions.

thanks
Dave
hansford
Forum Commoner
Posts: 91
Joined: Mon May 26, 2008 12:38 am

Re: Securing PHP webpage/url access

Post by hansford »

the best way is to use templates, but if youre not into that then make everything be processed through an index.php page.
Then at the beginning of every page you have
<?php
if($_SERVER['REQUEST_URI'] != "/index.php"){
header("Location:http://www.yoursite.com/index.php");
?>
User avatar
Eran
DevNet Master
Posts: 3549
Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME

Re: Securing PHP webpage/url access

Post by Eran »

You should either create a PHP based login system, or use Apache authentication methods - http://httpd.apache.org/docs/2.2/howto/auth.html
WebbieDave
Forum Contributor
Posts: 213
Joined: Sun Jul 15, 2007 7:07 am

Re: Securing PHP webpage/url access

Post by WebbieDave »

You can permit only certain ip addresses access to the page (whitelisting) or, as suggested above, protect access to the page with a username and password. Either of these methods can be implemented in PHP or via web server configuration.
User avatar
zplits
Forum Contributor
Posts: 158
Joined: Sun Aug 03, 2008 8:59 pm

Re: Securing PHP webpage/url access

Post by zplits »

Just another option. Set protected directories in your server.

Hope it helps.
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: Securing PHP webpage/url access

Post by Apollo »

hansford wrote:the best way is to use templates, but if youre not into that then make everything be processed through an index.php page.
Then at the beginning of every page you have
<?php
if($_SERVER['REQUEST_URI'] != "/index.php"){
header("Location:http://www.yoursite.com/index.php");
?>
How would that help restricting the access from other users?
devendra-m
Forum Contributor
Posts: 111
Joined: Wed Sep 12, 2007 3:16 am

Re: Securing PHP webpage/url access

Post by devendra-m »

you can check ip address with $_SERVER['REMOTE_ADDR'] or RewriteCond %{REMOTE_ADDR} in htaccess
User avatar
The_Anomaly
Forum Contributor
Posts: 196
Joined: Fri Aug 08, 2008 4:56 pm
Location: Tirana, Albania

Re: Securing PHP webpage/url access

Post by The_Anomaly »

devendra-m wrote:you can check ip address with $_SERVER['REMOTE_ADDR'] or RewriteCond %{REMOTE_ADDR} in htaccess
I was under the impression that IP Adresses are generally not the best way to prevent access, as they are constantly changing. That is, unless you have a static one--which the OP did not specify. Am I correct at this? Or does the IP not change that often?

As was formerly posted, you can just set up a PHP based login system. Or server based authentication.
User avatar
omniuni
Forum Regular
Posts: 738
Joined: Tue Jul 15, 2008 10:50 pm
Location: Carolina, USA

Re: Securing PHP webpage/url access

Post by omniuni »

Basically, the way I do this for my CMS is this (You can customize it to make it pretty):

1. Create a login page that asks for a passphrase; in the php, create a session variable ($_SESSION['loggedIn']) that is false, until it receives a proper POST of the passphrase, at which point it sets it to true.

2. Create a checklogin.php which essentially contains:

Code: Select all

 
<?php
if(!$_SESSION['loggedIn']){
die();
}
?>
3. At the top of each page you wish to secure, on the very first line do <?php require('checklogin.php'); ?>

This completely stops the server from sending information from that script to the browser. You can have die() output something when it's exiting, though, so you can use a redirect, for example, to send the browser to the login page.

It's not 100% secure, but it works pretty well.

Good Luck,
OmniUni
Post Reply