Ok I should probably start by pointing out that it's NOT secure, well not yet anyway.

At the moment, my system checks to see if the user is logged in, then it will just insert the relevant HTML file. For example, I might have two files in an includes folder:

1. default.htm

Code:

<h1>You are not logged in</h1>

2. loggedIn.htm

Code:

<h1>Welcome Back!</h1>

Then the PHP code will just include either one, depending on whether or not $_SESSION['userId'] has been set.

Then after a while I realised how insecure it is. Basically any user could just type in the location to something like 'loggedIn.htm' and see what is available to users who have logged in.

Is a better way of doing it something like this:
1.Set the file permissions to the HTML includes folder to '000' so that no-one can access it
2. Use the chmod function in PHP to temporarily allow access, do it's business then set it back to '000' before ending the script.


Would that be a secure and efficient way of doing it? Or do I need to completely re-think how I'm building PHP applications?

most easy thing to do it move html files out of your www directory and place them in a directory lets say tpl. and include it from your php file
ex:

PHP Code:

include "../tpl/page.html"; 


where the structure of your website well be like this
/home/yourdomain/
/home/yourdomain/tpl
/home/yourdomain/html (or /home/yourdomain/www)

since html directory only will be accessible through the web it will be safe to put any files in /tpl without worrying that unauthorized users will see it

Quote:

Originally Posted by KkillgasmM

Ok I should probably start by pointing out that it's NOT secure, well not yet anyway.

At the moment, my system checks to see if the user is logged in, then it will just insert the relevant HTML file. For example, I might have two files in an includes folder:

1. default.htm

Code:

<h1>You are not logged in</h1>

2. loggedIn.htm

Code:

<h1>Welcome Back!</h1>

Then the PHP code will just include either one, depending on whether or not $_SESSION['userId'] has been set.

Then after a while I realised how insecure it is. Basically any user could just type in the location to something like 'loggedIn.htm' and see what is available to users who have logged in.

Is a better way of doing it something like this:
1.Set the file permissions to the HTML includes folder to '000' so that no-one can access it
2. Use the chmod function in PHP to temporarily allow access, do it's business then set it back to '000' before ending the script.


Would that be a secure and efficient way of doing it? Or do I need to completely re-think how I'm building PHP applications?

Honestly just put your html website into a .php file and do this at the top:

Code:

if (!$_SESSION['userID'])
      {
           die('You are not logged in')
      } else {



Content for logged in users
}

Quote:

Originally Posted by DLaManna

Honestly just put your html website into a .php file and do this at the top:

Code:

if (!$_SESSION['userID'])
      {
           die('You are not logged in')
      } else {



Content for logged in users
}

ok what if he needs to show more contents not only one line of code
also what if he has complete pages need to show when user logged in?
I believe best thing to do is create all of the pages outside www directory then include it through the php file

Then change it to:

Code:

if (!$_SESSION['userID'])
      {
           die('You are not logged in')
      } else {



include('whatever.php');
}

Quote:

Originally Posted by DLaManna

Then change it to:

Code:

if (!$_SESSION['userID'])
      {
           die('You are not logged in')
      } else {



include('whatever.php');
}

That's pretty much what I'm doing already. The problem is, if people discover the location of my included scripts they can still use them if they put the right GET variables in the address bar.

nayes84, won't users still be able to see the location of the scripts even in that folder? For example, if I have a link that points directly to a PHP script in that folder.

Thanks

Effectively the way to do it would be to build your sites using headers & footers - that way the pages won't be accessible without going through the checks..

header.php

PHP Code:

<?php
if (!$_SESSION['userID'])
      {
           header('Location: notloggedin.php');
      } else {
?>

footer.php

PHP Code:

<? } ?>

then in your say blog.php page

PHP Code:


<?php include "header.php" ?>

content bla bla bla 

<?php include "footer.php" ?>

and just have every single page follow this layout...

I'd like to point out that simply checking whether a $_SESSION variable is set isn't very secure. There are some ways that certain users could use to steal a $_SESSION in order to imitate a user. This would involve intercepting the PHPSESSID, which is stored as a cookie on the users computer. This is done sometimes in public networks such as a coffee shop with free internet. Don't count on cookies being secure, because they aren't.

Once a session id is obtained, all the user would have to do to steal the session is go to the website, and enter http://your-website.com?PHPSESSID=35...1fca384924dabc or whatever it is, and suddenly, they have the same session ID as whomever was just logged into the site. This is because PHP sessions can be passed using the key either in a cookie or in a URL. It was created like this to allow a fallback if cookies were totally disabled. Although this is really cool, it also means that you can't always depend on being certain that a session was actually set from where it should have been, your server.