[Resolved] Protecting include files

tomandhannah

I am working on a site where each page requires a user to be logged into the system. The whole site relies on HTML template files that are included in the pages. However, if a user knew the name of a template file, they could browse to that page by entering the url... as the template file does not require a log in.

Is it possible to make template files that can only be included and not viewed by themselves? Then, if a user browses only to the template file, they are redirected, or get an error?

I tried something like this at the top of the template files:

<? if ($_SERVER["SCRIPT_NAME"] != $_SERVER["PHP_SELF"]) { ?>

but that doesn't work because if the file is included, then the script name and php self are the same.

At the top of every non-template page, I call these functions to require a log in:

require_login();
require_priv("admin");

I tried putting this at the top of the template page, but that doesn't work either because these functions are in another functions file that is not included in the template because it can't be called twice on the same page.

I want my files to be include-only. They can be called by other files on the server, but cannot be called by a user.

Any one creative enough to come up with a good solution for this?

mrhappiness

you perhaps want to have a look at FILE and compare it to $_SERVER['PHP_SELF']

or you put all includes above your web root

olaf

Maybe you can protect them with htaccess ...

mrhappiness

or you store them above your web root

tomandhannah

Protecting them with htaccess won't work because when they are called to be included in the file, the user will be prompted to login.

Storing them above my web root is a very interesting and simple idea. I might play with that and see what happens.

Currently, my solution is this: I'm putting the following code at the top of every template file.

<?
if (! $_SESSION['user']['priv'] = "admin") {
		header("Location: /login.php");
		die;
	}
	?>

If the user is not logged in as an admin, then they are redirected. It seems to work, but I wonder if there are other security concerns I need to be aware of.

Hmm... above the web root. That is such an interesting idea...

mrhappiness

Originally posted by tomandhannah
Protecting them with htaccess won't work because when they are called to be included in the file, the user will be prompted to login.

no, you can include them without creating a browser popup for logon since you are including it and not the browser 🙂

olaf

yes, that's what i thought...

It could be if for example images ar in the same (protected) folder.

tomandhannah

Hmmm... I'll have to try it out with htaccess too. I'm almost sure I've tried it before and any time I loaded a page (from my browser) that included a file inside a protected directory, it asked me to login. But I seem to be wrong, since you guys are both confident it can be done. Thanks for the clarification.

Both of your ideas are great. My solution is working for now, but I plan to try both of your suggestions and see which one I like better.

But for the purposes of this forum: [Resolved]!