.htaccess and sessions for security? - security

In my application users have their own "websites" which can be reached if they are signed in.
However, since these websites are just directories containing html and other documents everyone in the world can reach them if they know the address. I can't have that :) A user should be able to decide whether or not thw world might see their files or not.
Can I use .htaccess to activate a PHP-script every time a request is made to that directory?
I.e. if reqested-site is "/websites/{identifier}", run is-user-allowed-to-view.php?website={identifier}
The identifier is a numeric value which refers to both a physical folder and a post in the database... and the script would then return true or false.
Or is there perhaps another way of solving the same issue?
Cheers!

You can use mod_rewrite to rewrite requests with such a URL internally to your script:
RewriteEngine on
RewriteRule ^website/([0-9]+)$ is-user-allowed-to-view.php?website=$1
But this rule is only for the URL path /website/12345 and nothing else.

Or have every page as a PHP page and just put at the top a single line to redirect if the session / cookie is incorrect or not set. Obviously wouldn't work for non-PHP content such as images.

What you need is a proper front-end (written in whatever language). You need to have your web-server (Apache in your case it seems) pass the requests to the said front-end.
You cannot do what you are asking for with just .htaccess files.

Related

Ignore last part of URL with .htaccess

We have a FAQ page /faq (tab style) where every question should have its own 'ghost' url/page. So users could visit eg.
/faq/question-1
/faq/question-2
/faq/question-3
The problem is question-1, question-2, question-3 are not actual pages but just sections on /faq. For SEO, aesthetics and usability reasons we do not want to work with ?q= or #
I've searched and tried every .htaccess thread I came across but without result.
Is there a way we can show the page/faq when visiting /faq/question-1 and keep the url /faq/question-1 with mod_rewrite? (we cannot hardcode it because we do not know all future question slugs) So basically something that tells the browser: if the first url part is /faq/, just ignore everything that comes behind but keep the url.
Thanks
This is a trivial rewriting task and it is unclear why this should not work for you:
RewriteEngine on
RewriteRule ^/?faq/.+ /faq [END]
Since you claim that you "tried every .htaccess thread you came across" and this clearly works the question is: why not in your setup? But since you did not tell us anything about your setup we cannot really offer more help...
These are some general hints though which you should go through:
Where did you implement the rules you tried? In the http server's host configuration or in a distributed configuration file?
If you are using a distributed configuration file (".htaccess") then how did you make sure such files are interpreted by your http server and how did you test that?
Did you check your http server's error log file for hints?
Did you make sure that you are not actually looking at cached responses? So did you really test with a fresh anonymous browser window using a "deep reload"?
Since the CMS you are using requires own rewriting rules, where did you add those rules you tried? Remember: the order is important!

How does Concrete5 arrange it's absolute paths?

I've been asked to figure out how the Concrete5 system works for an employer, and I can't figure something out.
I have Concrete5 installed to a directory on the server called /realprofessionals. When the Concrete5 system makes new pages, it gives them their own absolute paths, for instance:
http://www.wmcpartners.com/realprofessionals/footer
However, it hasn't actually made a folder in the /realprofessionals directory called footer. So how does that work? How can http://www.wmcpartners.com/realprofessionals/footer be a working link?
Short answer: All page requests are actually going through the one and only index.php file. Page content is stored in the database, not in files on the server.
Long answer:
Concrete5 (and most PHP-based CMS's for that matter) work like this: all requests are routed through the index.php file. This routing is enforced with some mod_rewrite rules in the .htaccess file. The rules say "for any request, don't actually go to that page, but instead go to index.php and pass the rest of the requested path as $_GET parameters". Then in the index.php code (or some other code that is included by the index.php file), the requested page is determined based on the path that was put into the $_GET parameters by Apache (as per the mod_rewrite rule in .htaccess), and the appropriate content is retrieved from the database.
Storing content in the database as opposed to files on the server has several advantages. For example, you can re-use the same html template -- header, footer, sidebar -- on every page, and if you change the template it will automatically be reflected on all pages it's used on. Also, it makes it easier to shuffle pages around and to give them whatever URL you want (e.g. no ".php" extension at the end, or /2010/11/date/based/paths/for/blog/posts).
The disadvantage of course is that every request requires many database queries, but for most sites (those without zillions of page views), the trade-off is well worth it (and various types of caching can help reduce the performance hit).
Jordan's answer is excellent, I would add that you probably don't see index.php in the url because you've enabled pretty URLs (type 'pretty' on concrete5's searchbox to check that).
Anyhow, the best way to programmatically add link to internal pages is:
<a href="<?=$this->url('page-name');?>">
page name
</a>
It works both on localhost and online, with or without pretty URLs.
(For the page-name go to dashboard/full sitemap/page-name/properties/page paths and location.)

Dynamically creating URLs for other websites

I'd like to know how websites have created URLs with other domains like these on trafficestimate.com.
I'm guessing it's some .htaccess stuff to redirect domain names to a dynamic page?
Thanks
Your URL has an GET Request. So when someone calls the page http://google.com/search with the parameters hl=en, safe=off etc., the page can process those parameters. So for instance safe=off means that you want to get back any search result. The q=site:... is your search string. In this case Google will look it up in its database and give you the results. So when you call this URL there is probably no .htaccess processing done. However you can process the URL and GET request with .htacces and i.e. redirect the user to another page.
Maybe you'll describe a bit further what exactly you trying to do/want to know. This makes explaining easier.
EDIT: After reading Gumbo's comment I looked at the Google result page. So maybe your question means the trafficestimate-URLs. They look like http://trafficestimate.com/example.org. This is really a good case for .htaccess. So using .htaccess they take the URL and redirect it to http://www.trafficestimate.com/websites/?domain=example.org. Here you have again a GET request and an application builds the page.
Some URL rewriting is probably involved. Otherwise they would have to create an existing file for every possible request.
Using Apache’s mod_rewrite in a .htaccess file is one option. But since the server identifies itself with “Microsoft-IIS/7.5”, they are probably rather using ISAPI_Rewrite, a mod_rewrite derivative for Microsoft’s IIS.

Best way to password protect a site? .htacess

I created/edited a .htaccess file and I got my site password protected fine. Question though: Is there such thing as a URL key? Maybe I'm wording that incorrectly, but I would like to keep my site hidden, but be able to send out a specific URL that can view the site. What's the best way to accomplish this?
Thanks in advance.
If doing as Greg suggests and putting it in a folder isn't good enough for you, you could set the .htaccess to rewrite all url's to a php file (or whatever language you are using) and it checks some sort of database (or xml file or whatever format you want) for a key or parameter in the URL, and if its not there it can return a 404 in the header. That way unless they guess the url exactly it will return a 404 like there's nothing there.
And be sure to turn virtual directory listings off too.
Simply put your site in a directory that's using a "secret" name:
http://example.com/opensesame/
If you don't link to that, then it will be "hidden" unless you give out the URL.
Naturally, this doesn't protect against other people publishing your "secret" URL and linking to your site anyway.

What's a clean/simple way to ensure the security of a page?

Supposing you have a form that collects and submits sensitive information and you want to ensure it is never accessed via insecure (non-HTTPS) means, how might you best go about enforcing that policy?
If you're running Apache, you can put a RewriteRule in your .htaccess, like so:
RewriteCond %{HTTPS} "off"
RewriteRule /mypage.html https://example.com/mypage.html
I think the most bullet-proof solution is to keep the code inside your SSL document root only. This will ensure that you (or another developer in the future) can't accidentally link to a non-secure version of the form. If you have the form on both HTTP and HTTPS, you might not even notice if the wrong one gets used inadvertently.
If this isn't doable, then I would take at least two precautions. Do the Apache URL rewriting, and have a check in your code to make sure the session is encrypted - check the HTTP headers.
Take a look at this: http://www.dotnetmonster.com/Uwe/Forum.aspx/asp-net/75369/Enforcing-https
Edit: This shows solutions from an IIS point of view, but you should be able to configure about any web server for this.
In IIS? Go to security settings and hit "Require secure connection". Alternately, you can check the server variables in page load and redirect to the secure page.
I'd suggest looking at the request in the code that renders the form, and if it is not using SSL, issue a redirect to the https URL.
You could also use a rewite rule in Apache to redirect the user.
Or, you could just not serve up the page via HTTP, and keep it only in the document root of your HTTPS site.

Resources