securing_files_with_php_sessions
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
securing_files_with_php_sessions [2020/06/27 22:35] – waxphilosophic | securing_files_with_php_sessions [2020/07/02 11:20] (current) – waxphilosophic | ||
---|---|---|---|
Line 3: | Line 3: | ||
===== Summary ===== | ===== Summary ===== | ||
- | I write ebooks. Some of them I publish. I like to improve my stories by getting feedback from beta readers before the stories get released. Sharing on a web site is an easy answer, but obviously I don't want to share with the entire world. | + | I write ebooks. Some of them I publish. I like to improve my stories by getting feedback from beta readers before |
Previously, I relied on a simple Apache .htaccess file to restrict a directory to only those who knew the shared password. Then, Nginx came along with it's "we don't do distributed configuration" | Previously, I relied on a simple Apache .htaccess file to restrict a directory to only those who knew the shared password. Then, Nginx came along with it's "we don't do distributed configuration" | ||
Line 138: | Line 138: | ||
This bit of PHP removes the session variable and redirects the user back to the HTML login form. | This bit of PHP removes the session variable and redirects the user back to the HTML login form. | ||
- | ==== Every Other File ==== | + | ==== Protecting HTML Files ==== |
Now that we can set a PHP session variable, we need to be diligent about checking for it. Since it's a PHP session variable, it makes sense that it's only accessible from PHP code. But, PHP can be slipped into HTML files with ease. Just put it between the ''<? | Now that we can set a PHP session variable, we need to be diligent about checking for it. Since it's a PHP session variable, it makes sense that it's only accessible from PHP code. But, PHP can be slipped into HTML files with ease. Just put it between the ''<? | ||
Line 155: | Line 155: | ||
exit(); | exit(); | ||
} | } | ||
+ | ?> | ||
</ | </ | ||
This will leave the user staring at a blank page with a 403: Not Authorized error at the top. If you wanted to be nice, you could do an HTTP redirect to the login page. | This will leave the user staring at a blank page with a 403: Not Authorized error at the top. If you wanted to be nice, you could do an HTTP redirect to the login page. | ||
+ | ==== What About Downloads ==== | ||
+ | |||
+ | Good, you're paying attention. I mentioned from the start that my intention was secure ebooks from prying eyes. So far I've only managed to secure index.html at best. | ||
+ | |||
+ | For the rest, I rely on a download.php script that can read the contents of any file from any directory it has permission to read from. This includes directories outside of the ~/html hierarchy. All I have to do is add the snippet of PHP code that checks for a valid session and the download.php script becomes password protected as well. And, since it's the only way I've provided to gain access to a file outside of ~/html, files can't be downloaded by a direct link. | ||
+ | |||
+ | You can find it here: [[a_simple_php_sqlite_download_counter|A Simple PHP/SQLite Download Counter]] | ||
+ | |||
+ | ===== Go Forth and Conquer ===== | ||
+ | |||
+ | This is just a simple example of protecting your files. There is a lot of room for improvement, | ||
+ | |||
+ | ==== Reference ==== | ||
+ | Concerning PHP Session Security: https:// | ||
securing_files_with_php_sessions.txt · Last modified: 2020/07/02 11:20 by waxphilosophic