User Tools

Site Tools


securing_files_with_php_sessions

This is an old revision of the document!


Securing Files with PHP Sessions

Summary

I write ebooks. Some of them I publish. I like to improve my stories by getting feedback from beta readers before the stories get released. Sharing on a web site is an easy answer, but obviously I don't want to share with the entire world.

Previously, I relied on a simple Apache .htaccess file to restrict a directory to only those who knew the shared password. Then, Nginx came along with it's “we don't do distributed configuration” attitude.

Rather than leaving my files flapping in the breeze and hoping no one would guess the URL, I quickly looked for an alternative solution. I found it with PHP Sessions.

Even though SDF is using Apache again, I still think this approach of securing files has merit.

The Idea

I didn't just sit down one day and pull PHP Sessions out of my backside. I did what anybody would do and took to the internet for examples. I found mine on Stack Overflow.

https://stackoverflow.com/questions/1243150/php-sessions-to-authenticate-user-on-login-form#1244097

This gave me the framework for what was possible. What I came up with for my solution, I will detail below.

The Code

For the impatient, I will first drop the code on you and explain later.

login.html

This is where users get sent to authenticate and it's the first page they see.

<!DOCTYPE html>

<html>
<head>
  <meta charset="UTF-8">
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <title>Secure Files</title>
  <style>
    body {
      background: #333333;
      color: #CCCCCC;
    }
    fieldset {
      line-height: 150%;
      margin-left: auto;
      margin-right: auto;
      margin-top: 30vh;
      text-align: center;
      width: 12em;
    }
    input {
      background: #CCCCCC;
      color: #000000;
  </style>
</head>

<body>
  <form action="login.php" method="post">
    <fieldset>
      <legend>Secure Files</legend>
      Username:<br>
      <input name="username" type="text"><br>
      Password:<br>
      <input name="password" type="password"><br>
      <input type="submit" value="Log In">
    </fieldset>
  </form>
</body>
</html>

The important part here is the stuff between the BODY tags. Most everything else is styling to make it look good on desktop or mobile, and to give it a moody, dark color scheme.

The user is presented with an HTML form that asks for credentials. There's no encryption or hashing of the name and password by this form, so it's advisable to use SSL for the connection if you're concerned with clear text over the wire.

Once the user clicks/taps Log In, control is passed to a PHP script to verify the credentials.

login.php

No, this is not a repeat of login.html, this is where validation occurs and the session is started.

<?php

// Username and password in sha1 encoded hashes.
$username = '0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33';
$password = '62cdb7020ff920e5aa642c3d4066950dd1f01f4d';

session_start();

// Check if credentials were passed. Redirect to login form if not.
if (isset($_POST['username']) && isset($_POST['password'])) {

  // Attempt to validate against the stored hashes.
  if (sha1($_POST['username']) == $username && sha1($_POST['password']) == $password) {
    $_SESSION['authenticated'] = true;
    header('Location: index.php');
  }
  else {
    sleep(3);
    header('Location: login.html');
  }
}
else {
  header('Location: login.html');
}

?>

sha1 -s foo SHA1 (“foo”) = 0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33

securing_files_with_php_sessions.1593296205.txt.gz · Last modified: 2020/06/27 22:16 by waxphilosophic