Solved

protect a web page from non authorized access

Posted on 2012-04-02
16
348 Views
Last Modified: 2012-04-09
Dear experts,

I found out that one web page that I thought was protected from unauthorized access is in fact non protected.

An user can copy the link, then still can access this page without having to be logged in.

How I can force the user to log in even if he tries to do a copy/paste ? (he knows what the link looks like).

Thanks in advance for you help
0
Comment
Question by:currentdb
  • 6
  • 6
  • 2
  • +1
16 Comments
 
LVL 82

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 100 total points
ID: 37799613
When you use PHP to create a login, you have to have code to check that login on each and every page that you want restricted.  There are other methods to protect a directory but they more difficult to use and don't protect a single file.   Here http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html is Ray's article on the subject.
0
 
LVL 10

Expert Comment

by:MadShiva
ID: 37799617
Dear,

You have some choice, the first more easy to install is to secure the access of the link with .htaccess but it will also protect the whole folder.

One other choice, would be to do a login / password for the user with a session, and check for every page that you want access that the session is valid.

 Example login.php :
// After check the password :

session_start();
$_SESSION['login'] = $login;	

Open in new window


Example anypage.php :
session_start();

if(!isset($_SESSION['login'])) {
include('login.php');		
}
else{
//Process the page
}

Open in new window


Regards
0
 
LVL 1

Author Comment

by:currentdb
ID: 37799747
There's one major problem. Only login page, logout page, membership page and shopping cart pages are in php. The rest are just html.

I am wondering if I have to convert some of them from html to php or if there's another way around.
0
 
LVL 10

Expert Comment

by:MadShiva
ID: 37799769
I suggest to convert it. You don't need to modify all the code, rename the file to php and then add the detection of that the user is logged on the top and this should work.

Regards
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 37799779
If you are to protect them with a login, you need to convert all of them to use PHP to check the login.  Put it first and you can leave the HTML part of it alone.  But it does need to be a *.php file.
0
 
LVL 1

Author Comment

by:currentdb
ID: 37800525
I made renamed just one page from .html to .php and added the code suggested by MadShiva. I added this code at the top of the page. I made a test but the page is still unprotected. If I copy the link to this page in the browser, hoping that it will re-direct me to the login page, well, here it does not. I am wondering what does not work.
0
 
LVL 10

Assisted Solution

by:MadShiva
MadShiva earned 150 total points
ID: 37800583
Dear,

This was an example, this whas not supposed to work totally. I corrected the script that you should put in the top of the page.
<?php
session_start();

if(!isset($_SESSION['login'])) 
	{
	header("Location: login.php");   
	exit;
	}
?>

<HTML> 
... my page protected :)

</HTML>

Open in new window



PS: I think you know but I would clarify that after ?> is the contents of your html page.
0
 
LVL 108

Accepted Solution

by:
Ray Paseur earned 250 total points
ID: 37800714
If you follow the directions in this article, you can make HTML pages password protected, too.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391.html

Here is an example, untested but valid in principle.  You will want to change your .htaccess file to cause HTML documents to be parsed through PHP (or rename your page with a .php file extension).
<?php // PROTECT A PLAIN OLD HTML PAGE
error_reporting(E_ALL);
require_once('RAY_EE_config.php');
$uid = access_control();
?><!DOCTYPE html>
<html dir="ltr" lang="en-US">
<!-- WEB PAGE IN PLAIN HTML FOLLOWS HERE...

Open in new window

0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 1

Author Comment

by:currentdb
ID: 37804644
Hi MadShiva, Ray_Paseur

Thank you for your code. It helped to protect the page that was just renamed from .html to .php.

I changed the header location as it is:

<?php
session_start();

if(!isset($_SESSION['login'])) 
	{
	header("Location: http://yoursite.com/amember/login?amember_redirect_url=http://yoursite.com/fable4.php");   
	exit;
	}
?>

Open in new window


Basically if anyone knows the url and wants to access the fable4.php page, he's forced to go to the login form first. This redirect url worked before, but as I added it here, it began to fail apart. What happens is once the user is logged in is that he's not redirected anymore to this page fable4.php

Again I am lost :(
0
 
LVL 10

Expert Comment

by:MadShiva
ID: 37804850
Dear currentdb,

This code that I post, will redirect people if the value of the session["login"] is not set, then it force the redirection to the page login.

I'm not sure what you have set from your page login, personnaly I use this after control of the login/password, maybe the session is not set correctly in your code, or another variable is used (from the article of Ray Paster it didn't use login but uid) :

session_start();
$_SESSION['login'] = $login;	

Open in new window


After I redirect the people to the index.php for example page.

Regards
0
 
LVL 1

Author Comment

by:currentdb
ID: 37804866
Dear MadShiva,

When I used your code without modifications to this line header("Location: login.php"); it did not work. Then I understood that the server was not able to locate the login.php page.

Then I changed it to header("Location: http://yoursite.com/amember/login and it forces the user to go to the login page first.

Last, I had to redirect the user back to the desired page, hence the second change header("Location: http://yoursite.com/amember/login?amember_redirect_url=http://yoursite.com/fable4.php");  
      exit;


From your code, what I don't understand is where the user is redirected. When I changed the header for a second time, I really hoped that the user will be finally redirected to this page but for reasons that I don't understand, it ends into a server loop.
0
 
LVL 10

Expert Comment

by:MadShiva
ID: 37804938
Dear,

Ok . I'm not sure if I understand correctly, but you could try like this :


<?php
session_start();

if(!isset($_SESSION['login'])) 
	{
	header("Location: http://yoursite.com/amember/login");   
	exit;
	}
        else
              {
               header("Location: http://yoursite.com/fable4.php");   
               }


?>

Open in new window


This will redirect to http://yoursite.com/amember/login if the user is not logged, and http://yoursite.com/fable4.php if the user is logged.
0
 
LVL 1

Author Comment

by:currentdb
ID: 37804973
It does not work. At least there is no server loop.

It's better if you see by yourself.

<?php
session_start();

if(!isset($_SESSION['login'])) 
	{
	header("Location: http://signipedia.com/amember/login");   
	exit;
	}
        else
              {
               header("Location: http://signipedia.com/fable4.php");   
               }


?>

Open in new window


Login ID: serge6
PW: bader6

You will notice that the member is still not redirected to the proper page, but will be redirected to member's area.

PLease use this link to access this page:
http://www.signipedia.com/fable4.php

I hope you understand better this problem :)
0
 
LVL 10

Expert Comment

by:MadShiva
ID: 37805046
Dear,

You need to set the value of the login after that you have check the password in the file, the session could exist but the variable $_SESSION['login'] is not set.


You should modifiy the page of the form of the login by doing this:

Then you set the value of the login with :
session_start();
$_SESSION['login'] = $login;	

Open in new window

                               
The variable $login should be set like abow from the value of amember_login form that you have posted after the control of the password, also you need to start the session with session_start();

Hope that's clear for you.

Regards
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 37806257
Please see line 44 of the RAY_EE_config code snippet in the article I linked above.  That is 100% of what you need to know to find the original entry point to the web site.  It really is that easy!
0
 
LVL 1

Author Comment

by:currentdb
ID: 37826418
Finally made it to work! I had to make some calls to my hosting company and ask them for help. They told me that kind of access should be in the root server directory.

So here's what the code looks like:

<?php
require_once '/xxx/xxx/xxx/public_html/amember/library/Am/Lite.php'; // Adjust path to aMember folder
if (!Am_Lite::getInstance()->isLoggedIn()) {
    header("Location: http://signipedia.com/amember/login?amember_redirect_url=http://signipedia.com/fable4.php"); 
    exit;
}
?>

Open in new window


It was not that easy, but at least it works :)

Thanks to both of you for your great help.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
This article explains how to prepare an HTML email signature template file containing dynamic placeholders for users' Azure AD data. Furthermore, it explains how to use this file to remotely set up a department-wide email signature policy in Office …
In this tutorial viewers will learn how to style transparent/translucent elements using alpha transparency in CSS Start with a normal styled element, such as a div.: Define its "background-color" property as "rgba (255, 255, 255, .5): The numbers in…
In this tutorial viewers will learn how to style elements, such a divs, with a "drop shadow" effect using the CSS box-shadow property Start with a normal styled element, such as a div.: In the element's style, type the box shadow property: "box-shad…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now