Solved

protect a web page from non authorized access

Posted on 2012-04-02
16
355 Views
Last Modified: 2012-04-09
Dear experts,

I found out that one web page that I thought was protected from unauthorized access is in fact non protected.

An user can copy the link, then still can access this page without having to be logged in.

How I can force the user to log in even if he tries to do a copy/paste ? (he knows what the link looks like).

Thanks in advance for you help
0
Comment
Question by:currentdb
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
  • 2
  • +1
16 Comments
 
LVL 83

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 100 total points
ID: 37799613
When you use PHP to create a login, you have to have code to check that login on each and every page that you want restricted.  There are other methods to protect a directory but they more difficult to use and don't protect a single file.   Here http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html is Ray's article on the subject.
0
 
LVL 10

Expert Comment

by:Tobias
ID: 37799617
Dear,

You have some choice, the first more easy to install is to secure the access of the link with .htaccess but it will also protect the whole folder.

One other choice, would be to do a login / password for the user with a session, and check for every page that you want access that the session is valid.

 Example login.php :
// After check the password :

session_start();
$_SESSION['login'] = $login;	

Open in new window


Example anypage.php :
session_start();

if(!isset($_SESSION['login'])) {
include('login.php');		
}
else{
//Process the page
}

Open in new window


Regards
0
 
LVL 1

Author Comment

by:currentdb
ID: 37799747
There's one major problem. Only login page, logout page, membership page and shopping cart pages are in php. The rest are just html.

I am wondering if I have to convert some of them from html to php or if there's another way around.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 10

Expert Comment

by:Tobias
ID: 37799769
I suggest to convert it. You don't need to modify all the code, rename the file to php and then add the detection of that the user is logged on the top and this should work.

Regards
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 37799779
If you are to protect them with a login, you need to convert all of them to use PHP to check the login.  Put it first and you can leave the HTML part of it alone.  But it does need to be a *.php file.
0
 
LVL 1

Author Comment

by:currentdb
ID: 37800525
I made renamed just one page from .html to .php and added the code suggested by MadShiva. I added this code at the top of the page. I made a test but the page is still unprotected. If I copy the link to this page in the browser, hoping that it will re-direct me to the login page, well, here it does not. I am wondering what does not work.
0
 
LVL 10

Assisted Solution

by:Tobias
Tobias earned 150 total points
ID: 37800583
Dear,

This was an example, this whas not supposed to work totally. I corrected the script that you should put in the top of the page.
<?php
session_start();

if(!isset($_SESSION['login'])) 
	{
	header("Location: login.php");   
	exit;
	}
?>

<HTML> 
... my page protected :)

</HTML>

Open in new window



PS: I think you know but I would clarify that after ?> is the contents of your html page.
0
 
LVL 110

Accepted Solution

by:
Ray Paseur earned 250 total points
ID: 37800714
If you follow the directions in this article, you can make HTML pages password protected, too.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391.html

Here is an example, untested but valid in principle.  You will want to change your .htaccess file to cause HTML documents to be parsed through PHP (or rename your page with a .php file extension).
<?php // PROTECT A PLAIN OLD HTML PAGE
error_reporting(E_ALL);
require_once('RAY_EE_config.php');
$uid = access_control();
?><!DOCTYPE html>
<html dir="ltr" lang="en-US">
<!-- WEB PAGE IN PLAIN HTML FOLLOWS HERE...

Open in new window

0
 
LVL 1

Author Comment

by:currentdb
ID: 37804644
Hi MadShiva, Ray_Paseur

Thank you for your code. It helped to protect the page that was just renamed from .html to .php.

I changed the header location as it is:

<?php
session_start();

if(!isset($_SESSION['login'])) 
	{
	header("Location: http://yoursite.com/amember/login?amember_redirect_url=http://yoursite.com/fable4.php");   
	exit;
	}
?>

Open in new window


Basically if anyone knows the url and wants to access the fable4.php page, he's forced to go to the login form first. This redirect url worked before, but as I added it here, it began to fail apart. What happens is once the user is logged in is that he's not redirected anymore to this page fable4.php

Again I am lost :(
0
 
LVL 10

Expert Comment

by:Tobias
ID: 37804850
Dear currentdb,

This code that I post, will redirect people if the value of the session["login"] is not set, then it force the redirection to the page login.

I'm not sure what you have set from your page login, personnaly I use this after control of the login/password, maybe the session is not set correctly in your code, or another variable is used (from the article of Ray Paster it didn't use login but uid) :

session_start();
$_SESSION['login'] = $login;	

Open in new window


After I redirect the people to the index.php for example page.

Regards
0
 
LVL 1

Author Comment

by:currentdb
ID: 37804866
Dear MadShiva,

When I used your code without modifications to this line header("Location: login.php"); it did not work. Then I understood that the server was not able to locate the login.php page.

Then I changed it to header("Location: http://yoursite.com/amember/login and it forces the user to go to the login page first.

Last, I had to redirect the user back to the desired page, hence the second change header("Location: http://yoursite.com/amember/login?amember_redirect_url=http://yoursite.com/fable4.php");  
      exit;


From your code, what I don't understand is where the user is redirected. When I changed the header for a second time, I really hoped that the user will be finally redirected to this page but for reasons that I don't understand, it ends into a server loop.
0
 
LVL 10

Expert Comment

by:Tobias
ID: 37804938
Dear,

Ok . I'm not sure if I understand correctly, but you could try like this :


<?php
session_start();

if(!isset($_SESSION['login'])) 
	{
	header("Location: http://yoursite.com/amember/login");   
	exit;
	}
        else
              {
               header("Location: http://yoursite.com/fable4.php");   
               }


?>

Open in new window


This will redirect to http://yoursite.com/amember/login if the user is not logged, and http://yoursite.com/fable4.php if the user is logged.
0
 
LVL 1

Author Comment

by:currentdb
ID: 37804973
It does not work. At least there is no server loop.

It's better if you see by yourself.

<?php
session_start();

if(!isset($_SESSION['login'])) 
	{
	header("Location: http://signipedia.com/amember/login");   
	exit;
	}
        else
              {
               header("Location: http://signipedia.com/fable4.php");   
               }


?>

Open in new window


Login ID: serge6
PW: bader6

You will notice that the member is still not redirected to the proper page, but will be redirected to member's area.

PLease use this link to access this page:
http://www.signipedia.com/fable4.php

I hope you understand better this problem :)
0
 
LVL 10

Expert Comment

by:Tobias
ID: 37805046
Dear,

You need to set the value of the login after that you have check the password in the file, the session could exist but the variable $_SESSION['login'] is not set.


You should modifiy the page of the form of the login by doing this:

Then you set the value of the login with :
session_start();
$_SESSION['login'] = $login;	

Open in new window

                               
The variable $login should be set like abow from the value of amember_login form that you have posted after the control of the password, also you need to start the session with session_start();

Hope that's clear for you.

Regards
0
 
LVL 110

Expert Comment

by:Ray Paseur
ID: 37806257
Please see line 44 of the RAY_EE_config code snippet in the article I linked above.  That is 100% of what you need to know to find the original entry point to the web site.  It really is that easy!
0
 
LVL 1

Author Comment

by:currentdb
ID: 37826418
Finally made it to work! I had to make some calls to my hosting company and ask them for help. They told me that kind of access should be in the root server directory.

So here's what the code looks like:

<?php
require_once '/xxx/xxx/xxx/public_html/amember/library/Am/Lite.php'; // Adjust path to aMember folder
if (!Am_Lite::getInstance()->isLoggedIn()) {
    header("Location: http://signipedia.com/amember/login?amember_redirect_url=http://signipedia.com/fable4.php"); 
    exit;
}
?>

Open in new window


It was not that easy, but at least it works :)

Thanks to both of you for your great help.
0

Featured Post

Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
This article discusses how to implement server side field validation and display customized error messages to the client.
In this tutorial viewers will learn how to embed an audio file in a webpage using HTML5. Ensure your DOCTYPE declaration is set to HTML5: : The declaration should display (CODE) HTML5 is supported by the most recent versions of all major browsers…
The viewer will receive an overview of the basics of CSS showing inline styles. In the head tags set up your style tags: (CODE) Reference the nav tag and set your properties.: (CODE) Set the reference for the UL element and styles for it to ensu…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question