-1

I am trying to set up a secure web page at home. I created a login page with HTML and PHP, and it actually works when a user tries http://example.com. However I noticed that if a user enters in the URL http://example.com/documents.html (where documents.html is a page in my website) it get access to the page contents without login in first.

I have been looking for a solution for several weeks without success. I’ve tried to use the .htaccess capabilities of Apache without success, (get same results as above). So if someone could lead me on how to avoid this, that would be great.

Ry-
  • 218,210
  • 55
  • 464
  • 476
Damian Miralles
  • 51
  • 1
  • 7
  • Why don't you simply turn `documents.html` into a `.php` and make the proper security checks right there? – Havenard Apr 11 '14 at 00:37
  • make `documents.html` a `php` file. At the top of `documents.php` write somthing along the lines of `if(!$logged_in){ header('Location: http://mywebpage.com'); exit; }` – tchow002 Apr 11 '14 at 00:38
  • You can treat `.html` as PHP if you instruct Apache to do so. However, and as already stated, you will be better off merely changing your file extension to `.php` and use [**sessions**](http://www.php.net/manual/en/features.sessions.php) with conditional statements and/or a DB. Show us an example of your `.htaccess` file to see what you tried. *Sidenote:* I believe nginx does not support `.htaccess` – Funk Forty Niner Apr 11 '14 at 00:39
  • The problem you have is because of various things. Firstly your page format should be PHP not HTML. Then you will need to add something like the first answer in this post. [PHP Login Check](http://stackoverflow.com/questions/1545357/how-to-check-if-a-user-is-logged-in-in-php) make sure you check the previous questions I'm sure you will find an answer! Hope this helps. – Sam Joy Apr 11 '14 at 00:41
  • Thanks all, the problem was already solved by following your directions, I change to php file format and perform security checks. This was great – Damian Miralles Apr 12 '14 at 17:09

2 Answers2

1

This question is very broad. There are many possible solutions. It is going to be very hard to give a best answer.

My personal choice would be to remove HTML pages from the public area of the website and then create a PHP page which checks for permissions based on the requested page. If that is OK, then the PHP page would read the non public HTML page and simply echo out the contents.

This will secure the HTML pages without the need to rename them or alter them in any way. This is often times better because there is usually a reason that you have HTML pages instead of PHP pages. If they are being generated somewhere else it could be very difficult to keep those changes updated too. It will also allow you a chance to add to or modify the output in code before you display it.

One PHP file could be made per HTML page or you could use one PHP file for all pages and use a request variable to choose which HTML page to authorize and display. That is up to you.

As a bonus, this type of system can also be used for any other type of file you'd like to secure but still give (what seems to be) direct access to. To do that, just replace mystaticfile.html with mystaticfile.zip (or whatever) and make sure to send the correct header.

krowe
  • 2,129
  • 17
  • 19
0

For me I added this code in the start of webpage that should be only accessible of logging in.

<?php
if(isset($_SESSION["username"])) {
    //Code to run if logged in

} else {
    //This will return the user to login page if the user is not logged in
    header("Location: login.php");
}
?>

This will protect the exclusive pages for user page even if the url is manually typed.

Jheems
  • 300
  • 1
  • 4
  • 11