+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived General Discussion (https://forum.codeigniter.com/forumdisplay.php?fid=21)
+--- Thread: Security issue! (/showthread.php?tid=4198)
Pages:
1
2
Security issue! - El Forum - 11-12-2007
[eluser]pieter dekker[/eluser]
Hi!
I'm building a portal which can only be accessed after you've logged on.
Now I've build a controller and a view for one of the pages.
Inside a controller function I've got this:
Code:
if($this->checkLogin())
$this->load->view('overzicht_loader');
else
redirect('login');But I can surf directly to the view link: http://www.mywebsite.com/../../overzicht_loader.php
So this is not secure! Because you can bypass the security. How can I solve this problem?
Sorry for my bad English
I hope someone has the answer.
Security issue! - El Forum - 11-12-2007
[eluser]mrahman[/eluser]
user interfaces generally (like views) should not contain sensitive data or just be displayed without further authentication checks. you have to checkLogin() in each snippet in your view that displays confidential stuff in case of a successful login. so your code above will be useful just for preventing permissions errors to be displayed and to be a user friendly mechanism, not to grant or deny.
Security issue! - El Forum - 11-12-2007
[eluser]Chris Newton[/eluser]
You could also place all of the site's views above the webroot so that they CAN'T be surfed to.
Security issue! - El Forum - 11-12-2007
[eluser]thurting[/eluser]
[quote author="mahuti" date="1194932710"]You could also place all of the site's views above the webroot so that they CAN'T be surfed to.[/quote]
Yes. For maximum security the only .php file that should be on your root is the bootstrap.
Security issue! - El Forum - 11-13-2007
[eluser]xwero[/eluser]
a dirty hack is to add
Code:
<?php if (!defined('BASEPATH')) exit('No direct script access allowed'); ?>Security issue! - El Forum - 11-13-2007
[eluser]pieter dekker[/eluser]
[quote author="mrahman" date="1194927377"]user interfaces generally (like views) should not contain sensitive data or just be displayed without further authentication checks. you have to checkLogin() in each snippet in your view that displays confidential stuff in case of a successful login. so your code above will be useful just for preventing permissions errors to be displayed and to be a user friendly mechanism, not to grant or deny.[/quote]
It's easy to understand that views shouldn't contain sensitive data. But how do you display sensitive data? Do I need to call from the view to a controller function?
How do you display sensitive data?
Tnx for all the reactions so far!
Security issue! - El Forum - 11-13-2007
[eluser]gtech[/eluser]
xweros method of checking the BASEPATH works very well if you put it in the first line of your view. As he says Its what they use in the code igniter libraries to stop you surfing to the scripts directly, so its a valid way to do it
Security issue! - El Forum - 11-13-2007
[eluser]Alex007[/eluser]
[quote author="gtech" date="1194968994"]xweros method of checking the BASEPATH works very well if you put it in the first line of your view. As he says Its what they use in the code igniter libraries to stop you surfing to the scripts directly, so its a valid way to do it
[/quote]It's even simpler than that, your SYSTEM folder should not be accessible at all from the web.
Inside the system folder, create a .htaccess file (assuming you're running appache) with this in it:
.htaccess file:
Code:
deny from allSecurity issue! - El Forum - 11-13-2007
[eluser]gtech[/eluser]
Quote:It's even simpler than that, your SYSTEM folder should not be accessible at all from the web.
Inside the system folder, create a .htaccess file (assuming you're running appache) with this in it:
.htaccess file:Code:deny from all
Thanks for that Alex, I didn't know that, very useful!
Security issue! - El Forum - 11-13-2007
[eluser]pieter dekker[/eluser]
Tnx, the .htaccess was a very usefull tip!