Page 1 of 1

Securing PHP webpage/url access

Posted: Mon Jun 09, 2008 3:51 pm
by dv_evan
Dear All,

How can I secure my webpage url from outsider getting to see my pages, for example,
http://www.website/mypage.php.
Now anyone can logon to my website and access these pages, assuming these pages were intended for only me to access. How can I prevent anyone from just typing in the url (http://www.website/mypage.php) and accessing my page?

I'll appreciate all help and suggestions.

thanks
Dave

Re: Securing PHP webpage/url access

Posted: Mon Jun 09, 2008 5:45 pm
by hansford
the best way is to use templates, but if youre not into that then make everything be processed through an index.php page.
Then at the beginning of every page you have
<?php
if($_SERVER['REQUEST_URI'] != "/index.php"){
header("Location:http://www.yoursite.com/index.php");
?>

Re: Securing PHP webpage/url access

Posted: Mon Jun 09, 2008 5:59 pm
by Eran
You should either create a PHP based login system, or use Apache authentication methods - http://httpd.apache.org/docs/2.2/howto/auth.html

Re: Securing PHP webpage/url access

Posted: Fri Jun 13, 2008 6:32 pm
by WebbieDave
You can permit only certain ip addresses access to the page (whitelisting) or, as suggested above, protect access to the page with a username and password. Either of these methods can be implemented in PHP or via web server configuration.

Re: Securing PHP webpage/url access

Posted: Wed Aug 13, 2008 1:15 am
by zplits
Just another option. Set protected directories in your server.

Hope it helps.

Re: Securing PHP webpage/url access

Posted: Wed Aug 13, 2008 2:53 am
by Apollo
hansford wrote:the best way is to use templates, but if youre not into that then make everything be processed through an index.php page.
Then at the beginning of every page you have
<?php
if($_SERVER['REQUEST_URI'] != "/index.php"){
header("Location:http://www.yoursite.com/index.php");
?>
How would that help restricting the access from other users?

Re: Securing PHP webpage/url access

Posted: Wed Aug 13, 2008 5:22 am
by devendra-m
you can check ip address with $_SERVER['REMOTE_ADDR'] or RewriteCond %{REMOTE_ADDR} in htaccess

Re: Securing PHP webpage/url access

Posted: Wed Aug 13, 2008 3:21 pm
by The_Anomaly
devendra-m wrote:you can check ip address with $_SERVER['REMOTE_ADDR'] or RewriteCond %{REMOTE_ADDR} in htaccess
I was under the impression that IP Adresses are generally not the best way to prevent access, as they are constantly changing. That is, unless you have a static one--which the OP did not specify. Am I correct at this? Or does the IP not change that often?

As was formerly posted, you can just set up a PHP based login system. Or server based authentication.

Re: Securing PHP webpage/url access

Posted: Wed Aug 13, 2008 5:34 pm
by omniuni
Basically, the way I do this for my CMS is this (You can customize it to make it pretty):

1. Create a login page that asks for a passphrase; in the php, create a session variable ($_SESSION['loggedIn']) that is false, until it receives a proper POST of the passphrase, at which point it sets it to true.

2. Create a checklogin.php which essentially contains:

Code: Select all

 
<?php
if(!$_SESSION['loggedIn']){
die();
}
?>
3. At the top of each page you wish to secure, on the very first line do <?php require('checklogin.php'); ?>

This completely stops the server from sending information from that script to the browser. You can have die() output something when it's exiting, though, so you can use a redirect, for example, to send the browser to the login page.

It's not 100% secure, but it works pretty well.

Good Luck,
OmniUni