htaccess

advertisement
Sessions, Cookies, &
.htaccess
IT 210
Procedural Issues
Quiz #3 Today!
 Homework #3 Due Friday at midnight


UML for Lab 4
Withdraw Deadline is Wed, Feb 8th
 Resources and strategies when getting
stuck?

Problem
HTTP is stateless
 This causes problems when you want the
server to “remember” a user (e.g.,
checkout baskets, customized
presentation).
 This problem is solved by using cookies
and sessions

Sessions and Cookies
Sessions and Cookies
PHP Sessions


Remember: http is memoryless
“Sessions” provide temporary memory for web
site access





Created by server (e.g., PHP)
Associative array (namevalue pairs)
Expires after ~15 minutes of inactivity
Removed when browser is closed
Stored in cookies or on query string.


Query string doesn’t allow for back button and has
security problems
UID, and program defined variables saved
Cookies are used for…
Session Management
 Personalization
 Web analytics

Cookies

Cookies





Small text file stored in a file on client (“cookie jar”)
Name/value pairs with expiration date, location, &
source indicated.
Can be secure (encrypted when HTTPS) or not
First party (from domain you’re visiting) vs Third
Party (from different domain)
Session cookies (end when you close browser) vs
persistent cookies (stored for long time and used
when you revisit site)
Cookies

Set with:
<?php
//Calculate 60 days in the future
//seconds * minutes * hours * days + current time
$inTwoMonths = 60 * 60 * 24 * 60 + time();
setcookie('lastVisit', date("G:i - m/d/y"), $inTwoMonths);
?>

Retrieve with:
$_COOKIE
Our goal: secure login
Secure?
 Use PHP to read form, and check the
results against a database


If valid, set variable to ‘true’, otherwise ‘false’
Column Name Type
Null
Primary Key
Extra
user_id
int(8)
No
PK
AUTO
username
varchar(11)
No
password
varchar(32)
No
What is .htaccess
Method for remote web-server control
 Support multiple users
 A simple text file in a directory


Called .htaccess
.htaccess

Built into Apache



Other servers have other means
Disabled by default
Put file into a directory to make site
settings

Controlled by closest file in the hierarchy
Performance Hit

If htaccess is turned on in Apache then
Apache will look in every directory for an
htaccess file and read it if it is there.

If a file is requested out of a directory
/www/htdocs/example, Apache must look for:





/.htaccess
/www/.htaccess
/www/htdocs/.htaccess
/www/htdocs/example/.htaccess
Lower file directives overrode higher ones
On the other hand …
It does allow users to control their own
sub-directory tree without affecting others
 There are other ways to do this but they
require system-level access to Apache—
which you may not want to give to users
who each control their own sub-tree
(website)

Use .htaccess to…
Customize error messages
 Password protect sites
 Block access by IP addresses
 Block rippers and bots
 Prevent hot linking (e.g., another site to
embed images from your site)

Error messages
ErrorDocument
ErrorDocument
ErrorDocument
ErrorDocument
ErrorDocument
400
401
403
404
500
/errors/badrequest.html
/errors/authreqd.html
/errors/forbid.html
“Not here <em>bucko</em>!”
/errors/serverx.html
Access control

Modify .htaccess:
AuthUserFile /usr/local/myhome/.htpasswd
AuthGroupFile /dev/null
AuthName EnterPassword
AuthType Basic
require valid-user

Now, create a password file
.htpasswd
Put in a safe location
 Username, password pairs


Passwords are encrypted using a hash
Eg:
It210:cwQgdU78tJoCc
See online site for generating passwords
Other commands

Block IPs
order allow,deny
deny from 123.45.6.7
deny from 012.34.5.
allow from all

Block rippers
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT}
RewriteCond %{HTTP_USER_AGENT}
RewriteCond %{HTTP_USER_AGENT}
RewriteCond %{HTTP_USER_AGENT}
RewriteRule ^.* - [F,L]
^WebGo\ IS [OR]
^WebLeacher [OR]
^WebReaper [OR]
^WebSauger
Finally

Block hot links

These steal your intellectual property and your
bandwidth!
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER}
!^http://(www\.)?mydomain.com/.*$ [NC]
RewriteRule \.(gif|jpg|js|css)$ - [F]
Download