0

I have an SPA that uses AJAX calls to assemble content from multiple PHP files. I can add the following into the main application's config file to be able to redirect users that are not logged in back to the login page as long as they tried going through the portal to look at stuff.

// Verify Login to access this resource
if($_SESSION["loggedIn"] != true) {
  echo ('resource denied  <script>window.location.href = "https://'.$_SERVER['SERVER_NAME'].'/login.php";</script> ');
  exit();
}

The problem comes in that there are tons of views, models, controllers, and third party widgets that can still be accessed directly if you simply tried scanning the site for common file architures.

Is there a way to use something like an htaccess or php.ini file to automatically append this login check to all of the php files in a directory so that I don't have to paste this into each and every page?

Baring that, is there a way to set my chmod settings to only allow indirect access to those files such that php scripts running on the server can use them, but they can not be directly visited? Thanks.

[EDIT] Moving files outside of my public folder did not work because it broke the AJAX.

I also tried auto_prepend_file in an htaccess file, but this resulted in a 500 error. I am using a VPS that apparently won't let me do an AllowOverride All in my Apache pre_virtualhost_global.conf; otherwise, I think that would have been the right way to do this.

Nosajimiki
  • 1,073
  • 1
  • 9
  • 17
  • https://stackoverflow.com/questions/24778706/using-auto-prepend-file-into-user-ini-file-in-php --- http://php.net/manual/en/ini.core.php#ini.auto-prepend-file - if that's what this is about. and https://stackoverflow.com/questions/14034907/php-auto-include -- https://stackoverflow.com/questions/4248140/how-to-set-phps-auto-prepend-file-directive-per-directory – Funk Forty Niner Nov 16 '17 at 18:48
  • 1
    The generally accepted solution to this issue is to house your source code files outside the web server's document root, so that direct requests can not be made to them. The only source file in doc root should be your front controller. – Alex Howansky Nov 16 '17 at 18:48
  • running off of which OS? that could matter. – Funk Forty Niner Nov 16 '17 at 18:51
  • Ok, you either are silent or left the question; same here. – Funk Forty Niner Nov 16 '17 at 18:55
  • It's a linux apache server, I will try that though. Now that you mention it, I have seen that before. – Nosajimiki Nov 16 '17 at 21:00
  • Moving the files outside of the publicHTML folder turned out to be a very simple solution to this problem. Thanks. – Nosajimiki Nov 16 '17 at 21:29
  • Correction, moving the files outside of the publicHTML worked fine for the PHP driven aspects of the application, but the AJAX calls all got broken because they can't access higher up the file structure than the public folder. – Nosajimiki Nov 16 '17 at 21:53

1 Answers1

0

Setting the CHMOD settings of my resource folders to 0750 appear to be allowing the AJAX commands to execute without allowing direct access to the files. If anyone knows of any other security caveats to be aware of when doing this let me know. Thanks.

Nosajimiki
  • 1,073
  • 1
  • 9
  • 17