Keeping html files private

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
bladecatcher
Forum Commoner
Posts: 67
Joined: Sat Mar 12, 2005 12:50 am

Keeping html files private

Post by bladecatcher »

G'day All,
I'm using sessions to manage access to private content on our site.
However, the "content" is in html files and included using what I call templates.
A clever outsider could easily circumvent the session security by calling the page directly.
How would you suggest I keep these private pages private?
(note# I can't use session control because these are included by the templates which use sessions).

Thanking you in anticipation,
blade
BZorch
Forum Commoner
Posts: 45
Joined: Mon May 02, 2005 10:42 pm

Post by BZorch »

I have been saving my includes in a folder outside of the public/webroot folder.

include ('../folder_outside_of_www_folder/header.html');

This is like the protocol for storing MYSQL connection scripts. As far as I understand, no one could access the files if they are outside of the public folder/www.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Any files that I do not want users to be able to access directly that I CAN'T put outside the root folder I turn into PHP files with security checks in the beginning. Something like checking to see if a page var is set or a session var is set. If not, the you throw in a die(). Otherwise let it load by the script.
TJ
Forum Newbie
Posts: 20
Joined: Thu Nov 03, 2005 10:22 pm
Location: Nottingham, UK

Post by TJ »

As the pages that can be accessed directly are HTML, PHP doesn't get involved so any security measures you take on those need to be done from the HTTP server.

Simple basic authorisation using .htaccess (on Linux) or ACLs on Windows (removing the read permission for the IUSR_MACHINENAME for .HTM/HTML files and setting PHP to run under a named account).

You can't use referrer checking with something like Authentix because that can be faked easily.

Or, as has been said by BZorch, you could move the HTML files out of the web folders completely.
Post Reply