Hi everyone,

Can anyone tell me how you can stop users from URL Hacking your website with php (sessions)?
So for example if you have a password and username form on the front of your website and only want authorised members to gain access to your web site.

So for example just say you had a page e.g: page.htm and a user who was not logged in types www.somesite.com/page.htm . How can you stop them from getting access to the that page if they are not logged in?

Do you have any sample code?

Determine what constitutes a logged in session. Codify it into an include and include the session checker in each script you want to protect. Unfortunately, example code would be hard to produce since we don't have a session printed out here to know what to look for.

For further info, report back here with an example session.

Get the session data to post here with the following code:

<?php
echo "<xmp>";
print_r($_SESSION);
echo "</xmp>";
?>

placed somewhere after the session_start() call.

Take htm/html pages and just change the extension to php so you can run code in them.

You can add an .htaccess with some mod_rewrite rules to avoid needing to fix links.

At the end of the day the user will still be seeing page.htm in address bar, but apache will be running page.php based on what's in .htaccess rules.

Here's some docs on mod_rewrite. Remember that these rules go into a .htaccess and your ISP or server manager needs to set AllowOverride all (or whatever) in the apache directory config.

In apache config:

<Directory "/var/www/somewebsiterootdirectory">
    Options Indexes FollowSymLinks
    [B]AllowOverride All[/B]
    Order allow,deny
    Allow from all
</Directory>

.htaccess:

RewriteEngine  on
RewriteBase    /protectedfiles/ 
RewriteRule    ^(.*)\.htm$  $1.php

RewriteBase starts with the root of your site. So if your web root is /var/www/somesite.com
and you have a subdirectory under the web root called protected files, that's what the rewrite rule would look like. To apply it across whole site, set RewriteBase to /

If it doesn't seem to work, create a .htaccess that's got some random characters at top. If you don't get an error when trying to access site(anything in site) apache isn't paying attention to .htaccess so you need to talk to your administrator about the apache config. If it is working, you'll get 500 (internal server error) responses and can then begin looking at the .htaccess file with confidence that the problem is in .htaccess.

By doing this you can rename your html files to php files and not break your links. Obviously you want to fix your links, but you can secure your stuff in a hurry then go back and fix links. Once the links are all fixed, remove the rewrite rule.

As a rule of thumb, it's bad to use non php files in a place where they need to be protected by a php session check.

-r

Determine what constitutes a logged in session. Codify it into an include and include the session checker in each script you want to protect. Unfortunately, example code would be hard to produce since we don't have a session printed out here to know what to look for.

Edit: much better approach....
using mod_rewrite point all requests for htm extension to passthru.php
At the end of the day the user will still be seeing page.htm in address bar, but apache will be running passthru.php, which checks the session, then grabs htm and just hands the content off to apache.

Here's some docs on mod_rewrite. Remember that these rules go into a .htaccess and your ISP or server manager needs to set AllowOverride all (or whatever) in the apache directory config.

In apache config:

<Directory "/var/www/somewebsiterootdirectory">
    Options Indexes FollowSymLinks
    [B]AllowOverride All[/B]
    Order allow,deny
    Allow from all
</Directory>

.htaccess:

RewriteEngine  on
RewriteBase    /protectedfiles/ 
RewriteRule    ^(.*)\.htm$  passthru.php

RewriteBase starts with the root of your site. So if your web root is /var/www/somesite.com
and you have a subdirectory under the web root called protected files, that's what the rewrite rule would look like. To apply it across whole site, set RewriteBase to /

If it doesn't seem to work, create a .htaccess that's got some random characters at top. If you don't get an error when trying to access site(anything in site) apache isn't paying attention to .htaccess so you need to talk to your administrator about the apache config. If it is working, you'll get 500 (internal server error) responses and can then begin looking at the .htaccess file with confidence that the problem is in .htaccess.

By doing this you can remap all htm file requests to passthru.php and not break your links. You don't even need to modify the html files.

As a rule of thumb, it's bad to use non php files in a place where they need to be protected by a php session check unless you serve them with a passthrough script, which is another option... in this scenario you use the same rewrite technique but instead of $1.php, change it to passthru.php. Use file_get_contents on the htm based on the script called in URI:

passthru.php:

<?php
include_once("checksession.php");
$htm=$_SERVER['REDIRECT_URL'];
$htmfilename=basename($htm);
$pathtohtmlfile="/some/protected/directory/$htmlfilename";
$html=file_get_contents($pathtohtmlfile);
echo $html;
?>

If your htm files are all over the place don't use basename. You'll need to mess around with some string manipulation to fix paths.

Make sure that /some/protected/directory/ is not in your web root. It needs to be outside of it or the files will still (sort of) be in jeopardy.

-r

This article has been dead for over six months. Start a new discussion instead.