Using Codeigniter I want to make my home.php restricted to only registered users but when I try following
http://127.0.0.1/CodeIgniter_2.1.4/application/views/home.php
I get access to home.php(which is in views).
I thought that CI has some restriction for this type of request but its not.So now how can I solve this.
Should I do this in .htaccess?
OR
I should add php code at the top of home.php which will check for valid session data etc.
http://ellislab.com/codeigniter/user-guide/installation/
For the best security, both the system and any application folders
should be placed above web root so that they are not directly
accessible via a browser. By default, .htaccess files are included in
each folder to help prevent direct access, but it is best to remove
them from public access entirely in case the web server configuration
changes or doesn't abide by the .htaccess.
In your application folder make .htaccess with this:
Deny from all
Related
Good day. Got a problem here. I'm trying to forbid a folder and i succeeded from it,the problem for now is, I can't use it anymore.My web design does not work when I included it. How can i fix this?
I have tried to use options -indexes but it would not block the access if someone knows the file name like folder/css/index.css.
How can I block a user from accesing it without affecting my web-design.
By blocking access to the folder, you stopped the browser from being able to access it, which it needs to do in order to display it.
You won't ever be able to totally stop users from directly accessing the css file, if they're determined enough. The browser has to download the css file (so too can the users).
There are steps you can take to make it harder though. You could obfuscate/minify the CSS code to make it harder for people to understand - http://www.cssobfuscator.com
You could also check to make sure the referrer header is your website to prevent hotlinking - see http://www.htaccesstools.com/hotlink-protection/
Ultimately though, it will always be accessible and visible to your users
You can forbid access to the folder using the following in your /.htaccess
RewriteEngine on
RewriteCond %{REMOTE_ADDR} !your_ip_address_here
RewriteRule ^folder/css/index\.css - [F,L,NC]
That means only your IP address will be able to access the protected folder.
My CodeIgniter structure :
public/
application/
system/
I don't want anyone to access http://exampble.com/public, allow only the application to access the resource. I tries to create the file .htaccess in directory with the content 'Deny from all', so the user can't access this directory. But my application can't access as well.
How can I solve this problem?
Please give me any idea. Thanks.
From its name, it appears that you're using the 'public' directory to store relevant images and css for your site.
If that is the case, then there's no way you can prevent users from accessing it, unless you don't want to serve images or display styling for your website.
You may however enable what's called hot-link protection which will check for the referrer for each request (not very secure, but thought it might help you out).
I am developing a website with CakePHP.
I have an AdminsController for admins to authenticate. However I want create extra security by adding .htaccess password protection.
I tried to do it by adding .htaccess and a .htpasswd files in my Admins view directory since I want the other pages of my site to work normally, but it doesn't work.
So how to add .htaccess and .htpasswd for only a specific view?
In my AdminsControllers's beforeFilter method I've added :
if(env('HTTP_HOST') == 888.888.888.888 || ......),
The list of IP addresses that should be allowed. Can I say that it is safe now?
I think you might want to investigate the other authentication components that CakePHP has to offer. BasicAuthenticate should be of particular interest.
If you go down this route, the authentication will still happen against a userModel rather than a .htpasswd file.
As for the IP restriction, that should be relatively safe. IP spoofing is possible but hard.
I'm in a development environment and we're using basic .htaccess/.htpasswd authentication to keep lurkers out. But some of my AJAX calls are coming back with HTTP/401 authentication failed errors. Is it possible for me to allow access only to those specific URL's? I can't easily do it by popping a new .htaccess in a subfolder because CodeIgniter uses ReWrites.
It's not possible to allow access only to those specific URL's. Unfortunately, .htaccess and .htpasswd authentication operates on a directory level only. And you're exactly right about why just using a subdirectory won't work - b/c of CI rewrites, which happen AFTER Apache has transferred control to CodeIgniter's index.php front controller.
The easy option, if you're working on something that (1) is not likely to be hacked in the first place, and (2) can't reveal sensitive data even if it is, is to use security via obscurity. Don't have any links to your dev site, include a noindex directive for search engine crawlers, and go on your merry way. This also has the advantage that you can test versions of the site with your colleagues and friends by just telling them the URL to go to.
If you're more worried about security, then you're probably building an auth module for your website's users. In that case, for your dev environment, just call that auth module in the constructor for all of your controllers, and redirect to the login page if the user is not logged in.
Good luck!
What are the different approaches to securing a directory?
including an index page so contents can't be viewed
the problem with this is that people can still access the files if they know the filename they're after
including an htaccess file to deny all
this seems to be the best approach, but is there any case that an htaccess file can be passed by? are there any cases as well where htaccess is not available?
restricting folder access
this is also a nice solution, but the problem is, the folder I'm trying to secure should be viewable and writable by the program.
Are there any other ways that folder security can be done?
Best practice for Apache is to use htaccess to restrict - this only restricts from the webserver - but that should be what you need. You can add authentication into this - but for most needs to you can just deny all acess - which hides the directory completely.
Another method that can also work well with using htaccess to deny direct access would be to use htaccess in your route directory to rewrite urls. This means that a request such as /example/listItems/username/ted can be rewritten as a call to a php or other file such as:
/application/index.php?module=listItems&username=ted
The advantage of doing this is that the webserver does not give out paths to any directories so it is much more difficult for people to hack around looking for directories.
If you want to protect a directory of images you could also use htaccess to redirect to a different directory so that /images/image5.png is actually a call to :
/application/images/image5.png
You could also try not placing your protected directory under your www dir but on other "non www visible" location. If your app needs to read / write data, tell it to do it on the other location. Modify its properties so only the app has the proper rights to do so.