User Tools

Site Tools


securing_files_with_php_sessions

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
securing_files_with_php_sessions [2020/06/27 22:35] waxphilosophicsecuring_files_with_php_sessions [2020/07/02 11:20] (current) waxphilosophic
Line 3: Line 3:
 ===== Summary ===== ===== Summary =====
  
-I write ebooks. Some of them I publish. I like to improve my stories by getting feedback from beta readers before the stories get released. Sharing on a web site is an easy answer, but obviously I don't want to share with the entire world.+I write ebooks. Some of them I publish. I like to improve my stories by getting feedback from beta readers before sending them to the publisher. Sharing on a web site is an easy answer, but obviously I don't want to share with the entire world.
  
 Previously, I relied on a simple Apache .htaccess file to restrict a directory to only those who knew the shared password. Then, Nginx came along with it's "we don't do distributed configuration" attitude. Previously, I relied on a simple Apache .htaccess file to restrict a directory to only those who knew the shared password. Then, Nginx came along with it's "we don't do distributed configuration" attitude.
Line 138: Line 138:
 This bit of PHP removes the session variable and redirects the user back to the HTML login form. This bit of PHP removes the session variable and redirects the user back to the HTML login form.
  
-==== Every Other File ====+==== Protecting HTML Files ====
  
 Now that we can set a PHP session variable, we need to be diligent about checking for it. Since it's a PHP session variable, it makes sense that it's only accessible from PHP code. But, PHP can be slipped into HTML files with ease. Just put it between the ''<?php'' and ''?>'' tags as show in all the examples above. Now that we can set a PHP session variable, we need to be diligent about checking for it. Since it's a PHP session variable, it makes sense that it's only accessible from PHP code. But, PHP can be slipped into HTML files with ease. Just put it between the ''<?php'' and ''?>'' tags as show in all the examples above.
Line 155: Line 155:
     exit();     exit();
   }   }
 +?>
 </code> </code>
  
 This will leave the user staring at a blank page with a 403: Not Authorized error at the top. If you wanted to be nice, you could do an HTTP redirect to the login page. This will leave the user staring at a blank page with a 403: Not Authorized error at the top. If you wanted to be nice, you could do an HTTP redirect to the login page.
  
 +==== What About Downloads ====
 +
 +Good, you're paying attention. I mentioned from the start that my intention was secure ebooks from prying eyes. So far I've only managed to secure index.html at best.
 +
 +For the rest, I rely on a download.php script that can read the contents of any file from any directory it has permission to read from. This includes directories outside of the ~/html hierarchy. All I have to do is add the snippet of PHP code that checks for a valid session and the download.php script becomes password protected as well. And, since it's the only way I've provided to gain access to a file outside of ~/html, files can't be downloaded by a direct link.
 +
 +You can find it here: [[a_simple_php_sqlite_download_counter|A Simple PHP/SQLite Download Counter]]
 +
 +===== Go Forth and Conquer =====
 +
 +This is just a simple example of protecting your files. There is a lot of room for improvement, but in terms of getting the job done quickly and easily, it's a good start.
 +
 +==== Reference ====
 +Concerning PHP Session Security: https://stackoverflow.com/questions/10165424/how-secure-are-php-sessions#10165602
  
securing_files_with_php_sessions.txt · Last modified: 2020/07/02 11:20 by waxphilosophic