protect a web page from non authorized access

Dear experts,

I found out that one web page that I thought was protected from unauthorized access is in fact non protected.

An user can copy the link, then still can access this page without having to be logged in.

How I can force the user to log in even if he tries to do a copy/paste ? (he knows what the link looks like).

Thanks in advance for you help
LVL 1
currentdbAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave BaldwinFixer of ProblemsCommented:
When you use PHP to create a login, you have to have code to check that login on each and every page that you want restricted.  There are other methods to protect a directory but they more difficult to use and don't protect a single file.   Here http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html is Ray's article on the subject.
0
TobiasCommented:
Dear,

You have some choice, the first more easy to install is to secure the access of the link with .htaccess but it will also protect the whole folder.

One other choice, would be to do a login / password for the user with a session, and check for every page that you want access that the session is valid.

 Example login.php :
// After check the password :

session_start();
$_SESSION['login'] = $login;	

Open in new window


Example anypage.php :
session_start();

if(!isset($_SESSION['login'])) {
include('login.php');		
}
else{
//Process the page
}

Open in new window


Regards
0
currentdbAuthor Commented:
There's one major problem. Only login page, logout page, membership page and shopping cart pages are in php. The rest are just html.

I am wondering if I have to convert some of them from html to php or if there's another way around.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

TobiasCommented:
I suggest to convert it. You don't need to modify all the code, rename the file to php and then add the detection of that the user is logged on the top and this should work.

Regards
0
Dave BaldwinFixer of ProblemsCommented:
If you are to protect them with a login, you need to convert all of them to use PHP to check the login.  Put it first and you can leave the HTML part of it alone.  But it does need to be a *.php file.
0
currentdbAuthor Commented:
I made renamed just one page from .html to .php and added the code suggested by MadShiva. I added this code at the top of the page. I made a test but the page is still unprotected. If I copy the link to this page in the browser, hoping that it will re-direct me to the login page, well, here it does not. I am wondering what does not work.
0
TobiasCommented:
Dear,

This was an example, this whas not supposed to work totally. I corrected the script that you should put in the top of the page.
<?php
session_start();

if(!isset($_SESSION['login'])) 
	{
	header("Location: login.php");   
	exit;
	}
?>

<HTML> 
... my page protected :)

</HTML>

Open in new window



PS: I think you know but I would clarify that after ?> is the contents of your html page.
0
Ray PaseurCommented:
If you follow the directions in this article, you can make HTML pages password protected, too.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391.html

Here is an example, untested but valid in principle.  You will want to change your .htaccess file to cause HTML documents to be parsed through PHP (or rename your page with a .php file extension).
<?php // PROTECT A PLAIN OLD HTML PAGE
error_reporting(E_ALL);
require_once('RAY_EE_config.php');
$uid = access_control();
?><!DOCTYPE html>
<html dir="ltr" lang="en-US">
<!-- WEB PAGE IN PLAIN HTML FOLLOWS HERE...

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
currentdbAuthor Commented:
Hi MadShiva, Ray_Paseur

Thank you for your code. It helped to protect the page that was just renamed from .html to .php.

I changed the header location as it is:

<?php
session_start();

if(!isset($_SESSION['login'])) 
	{
	header("Location: http://yoursite.com/amember/login?amember_redirect_url=http://yoursite.com/fable4.php");   
	exit;
	}
?>

Open in new window


Basically if anyone knows the url and wants to access the fable4.php page, he's forced to go to the login form first. This redirect url worked before, but as I added it here, it began to fail apart. What happens is once the user is logged in is that he's not redirected anymore to this page fable4.php

Again I am lost :(
0
TobiasCommented:
Dear currentdb,

This code that I post, will redirect people if the value of the session["login"] is not set, then it force the redirection to the page login.

I'm not sure what you have set from your page login, personnaly I use this after control of the login/password, maybe the session is not set correctly in your code, or another variable is used (from the article of Ray Paster it didn't use login but uid) :

session_start();
$_SESSION['login'] = $login;	

Open in new window


After I redirect the people to the index.php for example page.

Regards
0
currentdbAuthor Commented:
Dear MadShiva,

When I used your code without modifications to this line header("Location: login.php"); it did not work. Then I understood that the server was not able to locate the login.php page.

Then I changed it to header("Location: http://yoursite.com/amember/login and it forces the user to go to the login page first.

Last, I had to redirect the user back to the desired page, hence the second change header("Location: http://yoursite.com/amember/login?amember_redirect_url=http://yoursite.com/fable4.php");  
      exit;


From your code, what I don't understand is where the user is redirected. When I changed the header for a second time, I really hoped that the user will be finally redirected to this page but for reasons that I don't understand, it ends into a server loop.
0
TobiasCommented:
Dear,

Ok . I'm not sure if I understand correctly, but you could try like this :


<?php
session_start();

if(!isset($_SESSION['login'])) 
	{
	header("Location: http://yoursite.com/amember/login");   
	exit;
	}
        else
              {
               header("Location: http://yoursite.com/fable4.php");   
               }


?>

Open in new window


This will redirect to http://yoursite.com/amember/login if the user is not logged, and http://yoursite.com/fable4.php if the user is logged.
0
currentdbAuthor Commented:
It does not work. At least there is no server loop.

It's better if you see by yourself.

<?php
session_start();

if(!isset($_SESSION['login'])) 
	{
	header("Location: http://signipedia.com/amember/login");   
	exit;
	}
        else
              {
               header("Location: http://signipedia.com/fable4.php");   
               }


?>

Open in new window


Login ID: serge6
PW: bader6

You will notice that the member is still not redirected to the proper page, but will be redirected to member's area.

PLease use this link to access this page:
http://www.signipedia.com/fable4.php

I hope you understand better this problem :)
0
TobiasCommented:
Dear,

You need to set the value of the login after that you have check the password in the file, the session could exist but the variable $_SESSION['login'] is not set.


You should modifiy the page of the form of the login by doing this:

Then you set the value of the login with :
session_start();
$_SESSION['login'] = $login;	

Open in new window

                               
The variable $login should be set like abow from the value of amember_login form that you have posted after the control of the password, also you need to start the session with session_start();

Hope that's clear for you.

Regards
0
Ray PaseurCommented:
Please see line 44 of the RAY_EE_config code snippet in the article I linked above.  That is 100% of what you need to know to find the original entry point to the web site.  It really is that easy!
0
currentdbAuthor Commented:
Finally made it to work! I had to make some calls to my hosting company and ask them for help. They told me that kind of access should be in the root server directory.

So here's what the code looks like:

<?php
require_once '/xxx/xxx/xxx/public_html/amember/library/Am/Lite.php'; // Adjust path to aMember folder
if (!Am_Lite::getInstance()->isLoggedIn()) {
    header("Location: http://signipedia.com/amember/login?amember_redirect_url=http://signipedia.com/fable4.php"); 
    exit;
}
?>

Open in new window


It was not that easy, but at least it works :)

Thanks to both of you for your great help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.