User Tools

Site Tools


securing_files_with_php_sessions

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Last revision Both sides next revision
securing_files_with_php_sessions [2020/06/27 22:16]
waxphilosophic
securing_files_with_php_sessions [2020/06/27 22:50]
waxphilosophic [What About Downloads]
Line 3: Line 3:
 ===== Summary ===== ===== Summary =====
  
-I write ebooks. Some of them I publish. I like to improve my stories by getting feedback from beta readers before the stories get released. Sharing on a web site is an easy answer, but obviously I don't want to share with the entire world.+I write ebooks. Some of them I publish. I like to improve my stories by getting feedback from beta readers before sending them to the publisher. Sharing on a web site is an easy answer, but obviously I don't want to share with the entire world.
  
 Previously, I relied on a simple Apache .htaccess file to restrict a directory to only those who knew the shared password. Then, Nginx came along with it's "we don't do distributed configuration" attitude. Previously, I relied on a simple Apache .htaccess file to restrict a directory to only those who knew the shared password. Then, Nginx came along with it's "we don't do distributed configuration" attitude.
Line 108: Line 108:
 </code> </code>
  
 +This short little snippet of PHP is simple comparing the credentials passed via post variables with the credential stored at the top as a SHA1 hash. If things match, a session variable of ''authenticated = true'' is set.
  
 +Is this secure? No.
  
 +SHA1 has been compromised. Setting a simple and easily guessed session variable is pretty lame as well. But, PHP does not have functions for SHA256 and up. And, I'm not protecting top secret nuclear launch codes here. So, is it good enough for short term sharing of a few files? Probably.
 +
 +You can get your username and password hashes by using the ''sha1'' command-line tool.
 +
 +<file>
 sha1 -s foo sha1 -s foo
 SHA1 ("foo") = 0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33 SHA1 ("foo") = 0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33
 +</file>
 +
 +If you've ever read a C++ book or a Unix tutorial, I'll bet you can guess what the password is.
 +
 +=== logout.php ===
 +
 +Logging out is easy. This is a session variable, so it goes away when the user closes their browser. If you want to offer a "logout" button, just use this script.
 +
 +<code>
 +<?php
 +// Cancel authentication.
 +session_start();
 +unset($_SESSION['authenticated']);
 +header('Location: login.html');
 +?>
 +</code>
 +
 +This bit of PHP removes the session variable and redirects the user back to the HTML login form.
 +
 +==== Protecting HTML Files ====
 +
 +Now that we can set a PHP session variable, we need to be diligent about checking for it. Since it's a PHP session variable, it makes sense that it's only accessible from PHP code. But, PHP can be slipped into HTML files with ease. Just put it between the ''<?php'' and ''?>'' tags as show in all the examples above.
 +
 +To protect an HTML file, simply slip this in at the top.
 +
 +<code>
 +<?php
 +  // Check if autheticated and redirect to login page if not.
 +  session_start();
 +  if(!isset($_SESSION['authenticated'])) {
 +    http_response_code(403);
 +    header("Content-type: text/plain");
 +    header("Cache-Control: no-store, no-cache");
 +    echo "403: Not Authorized";
 +    exit();
 +  }
 +?>
 +</code>
 +
 +This will leave the user staring at a blank page with a 403: Not Authorized error at the top. If you wanted to be nice, you could do an HTTP redirect to the login page.
 +
 +==== What About Downloads ====
 +
 +Good, you're paying attention. I mentioned from the start that my intention was secure ebooks from prying eyes. So far I've only managed to secure index.html at best.
 +
 +For the rest, I rely on a download.php script that can read the contents of any file from any directory it has permission to read from. This includes directories outside of the ~/html hierarchy. All I have to do is add the snippet of PHP code that checks for a valid session and the download.php script becomes password protected as well. And, since it's the only way I've provided to gain access to a file outside of ~/html, files can't be downloaded by a direct link.
 +
 +You can find it here: [[a_simple_php_sqlite_download_counter|A Simple PHP/SQLite Download Counter]]
 +
 +===== Go Forth and Conquer =====
 +
 +This is just a simple example of protecting your files. There is a lot of room for improvement, but in terms of getting the job done quickly and easily, it's a good start.
 +
 +
securing_files_with_php_sessions.txt ยท Last modified: 2020/07/02 11:20 by waxphilosophic