Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

protect a web page from non authorized access

Posted on 2012-04-02
16
Medium Priority
?
363 Views
Last Modified: 2012-04-09
Dear experts,

I found out that one web page that I thought was protected from unauthorized access is in fact non protected.

An user can copy the link, then still can access this page without having to be logged in.

How I can force the user to log in even if he tries to do a copy/paste ? (he knows what the link looks like).

Thanks in advance for you help
0
Comment
Question by:currentdb
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
  • 2
  • +1
16 Comments
 
LVL 84

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 400 total points
ID: 37799613
When you use PHP to create a login, you have to have code to check that login on each and every page that you want restricted.  There are other methods to protect a directory but they more difficult to use and don't protect a single file.   Here http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html is Ray's article on the subject.
0
 
LVL 10

Expert Comment

by:Tobias
ID: 37799617
Dear,

You have some choice, the first more easy to install is to secure the access of the link with .htaccess but it will also protect the whole folder.

One other choice, would be to do a login / password for the user with a session, and check for every page that you want access that the session is valid.

 Example login.php :
// After check the password :

session_start();
$_SESSION['login'] = $login;	

Open in new window


Example anypage.php :
session_start();

if(!isset($_SESSION['login'])) {
include('login.php');		
}
else{
//Process the page
}

Open in new window


Regards
0
 
LVL 1

Author Comment

by:currentdb
ID: 37799747
There's one major problem. Only login page, logout page, membership page and shopping cart pages are in php. The rest are just html.

I am wondering if I have to convert some of them from html to php or if there's another way around.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 10

Expert Comment

by:Tobias
ID: 37799769
I suggest to convert it. You don't need to modify all the code, rename the file to php and then add the detection of that the user is logged on the top and this should work.

Regards
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 37799779
If you are to protect them with a login, you need to convert all of them to use PHP to check the login.  Put it first and you can leave the HTML part of it alone.  But it does need to be a *.php file.
0
 
LVL 1

Author Comment

by:currentdb
ID: 37800525
I made renamed just one page from .html to .php and added the code suggested by MadShiva. I added this code at the top of the page. I made a test but the page is still unprotected. If I copy the link to this page in the browser, hoping that it will re-direct me to the login page, well, here it does not. I am wondering what does not work.
0
 
LVL 10

Assisted Solution

by:Tobias
Tobias earned 600 total points
ID: 37800583
Dear,

This was an example, this whas not supposed to work totally. I corrected the script that you should put in the top of the page.
<?php
session_start();

if(!isset($_SESSION['login'])) 
	{
	header("Location: login.php");   
	exit;
	}
?>

<HTML> 
... my page protected :)

</HTML>

Open in new window



PS: I think you know but I would clarify that after ?> is the contents of your html page.
0
 
LVL 111

Accepted Solution

by:
Ray Paseur earned 1000 total points
ID: 37800714
If you follow the directions in this article, you can make HTML pages password protected, too.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391.html

Here is an example, untested but valid in principle.  You will want to change your .htaccess file to cause HTML documents to be parsed through PHP (or rename your page with a .php file extension).
<?php // PROTECT A PLAIN OLD HTML PAGE
error_reporting(E_ALL);
require_once('RAY_EE_config.php');
$uid = access_control();
?><!DOCTYPE html>
<html dir="ltr" lang="en-US">
<!-- WEB PAGE IN PLAIN HTML FOLLOWS HERE...

Open in new window

0
 
LVL 1

Author Comment

by:currentdb
ID: 37804644
Hi MadShiva, Ray_Paseur

Thank you for your code. It helped to protect the page that was just renamed from .html to .php.

I changed the header location as it is:

<?php
session_start();

if(!isset($_SESSION['login'])) 
	{
	header("Location: http://yoursite.com/amember/login?amember_redirect_url=http://yoursite.com/fable4.php");   
	exit;
	}
?>

Open in new window


Basically if anyone knows the url and wants to access the fable4.php page, he's forced to go to the login form first. This redirect url worked before, but as I added it here, it began to fail apart. What happens is once the user is logged in is that he's not redirected anymore to this page fable4.php

Again I am lost :(
0
 
LVL 10

Expert Comment

by:Tobias
ID: 37804850
Dear currentdb,

This code that I post, will redirect people if the value of the session["login"] is not set, then it force the redirection to the page login.

I'm not sure what you have set from your page login, personnaly I use this after control of the login/password, maybe the session is not set correctly in your code, or another variable is used (from the article of Ray Paster it didn't use login but uid) :

session_start();
$_SESSION['login'] = $login;	

Open in new window


After I redirect the people to the index.php for example page.

Regards
0
 
LVL 1

Author Comment

by:currentdb
ID: 37804866
Dear MadShiva,

When I used your code without modifications to this line header("Location: login.php"); it did not work. Then I understood that the server was not able to locate the login.php page.

Then I changed it to header("Location: http://yoursite.com/amember/login and it forces the user to go to the login page first.

Last, I had to redirect the user back to the desired page, hence the second change header("Location: http://yoursite.com/amember/login?amember_redirect_url=http://yoursite.com/fable4.php");  
      exit;


From your code, what I don't understand is where the user is redirected. When I changed the header for a second time, I really hoped that the user will be finally redirected to this page but for reasons that I don't understand, it ends into a server loop.
0
 
LVL 10

Expert Comment

by:Tobias
ID: 37804938
Dear,

Ok . I'm not sure if I understand correctly, but you could try like this :


<?php
session_start();

if(!isset($_SESSION['login'])) 
	{
	header("Location: http://yoursite.com/amember/login");   
	exit;
	}
        else
              {
               header("Location: http://yoursite.com/fable4.php");   
               }


?>

Open in new window


This will redirect to http://yoursite.com/amember/login if the user is not logged, and http://yoursite.com/fable4.php if the user is logged.
0
 
LVL 1

Author Comment

by:currentdb
ID: 37804973
It does not work. At least there is no server loop.

It's better if you see by yourself.

<?php
session_start();

if(!isset($_SESSION['login'])) 
	{
	header("Location: http://signipedia.com/amember/login");   
	exit;
	}
        else
              {
               header("Location: http://signipedia.com/fable4.php");   
               }


?>

Open in new window


Login ID: serge6
PW: bader6

You will notice that the member is still not redirected to the proper page, but will be redirected to member's area.

PLease use this link to access this page:
http://www.signipedia.com/fable4.php

I hope you understand better this problem :)
0
 
LVL 10

Expert Comment

by:Tobias
ID: 37805046
Dear,

You need to set the value of the login after that you have check the password in the file, the session could exist but the variable $_SESSION['login'] is not set.


You should modifiy the page of the form of the login by doing this:

Then you set the value of the login with :
session_start();
$_SESSION['login'] = $login;	

Open in new window

                               
The variable $login should be set like abow from the value of amember_login form that you have posted after the control of the password, also you need to start the session with session_start();

Hope that's clear for you.

Regards
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 37806257
Please see line 44 of the RAY_EE_config code snippet in the article I linked above.  That is 100% of what you need to know to find the original entry point to the web site.  It really is that easy!
0
 
LVL 1

Author Comment

by:currentdb
ID: 37826418
Finally made it to work! I had to make some calls to my hosting company and ask them for help. They told me that kind of access should be in the root server directory.

So here's what the code looks like:

<?php
require_once '/xxx/xxx/xxx/public_html/amember/library/Am/Lite.php'; // Adjust path to aMember folder
if (!Am_Lite::getInstance()->isLoggedIn()) {
    header("Location: http://signipedia.com/amember/login?amember_redirect_url=http://signipedia.com/fable4.php"); 
    exit;
}
?>

Open in new window


It was not that easy, but at least it works :)

Thanks to both of you for your great help.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
Originally, this post was published on Monitis Blog, you can check it here . Websites are getting bigger and more complicated by the day. Video, images and custom fonts are all great for showcasing your product or service. But the price to pay in…
The viewer will receive an overview of the basics of CSS showing inline styles. In the head tags set up your style tags: (CODE) Reference the nav tag and set your properties.: (CODE) Set the reference for the UL element and styles for it to ensu…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question