htaccess
advertisement
Sessions, Cookies, &
.htaccess
IT 210
Procedural Issues
Quiz #3 Today!
Homework #3 Due Friday at midnight
UML for Lab 4
Withdraw Deadline is Wed, Feb 8th
Resources and strategies when getting
stuck?
Problem
HTTP is stateless
This causes problems when you want the
server to “remember” a user (e.g.,
checkout baskets, customized
presentation).
This problem is solved by using cookies
and sessions
Sessions and Cookies
Sessions and Cookies
PHP Sessions
Remember: http is memoryless
“Sessions” provide temporary memory for web
site access
Created by server (e.g., PHP)
Associative array (namevalue pairs)
Expires after ~15 minutes of inactivity
Removed when browser is closed
Stored in cookies or on query string.
Query string doesn’t allow for back button and has
security problems
UID, and program defined variables saved
Cookies are used for…
Session Management
Personalization
Web analytics
Cookies
Cookies
Small text file stored in a file on client (“cookie jar”)
Name/value pairs with expiration date, location, &
source indicated.
Can be secure (encrypted when HTTPS) or not
First party (from domain you’re visiting) vs Third
Party (from different domain)
Session cookies (end when you close browser) vs
persistent cookies (stored for long time and used
when you revisit site)
Cookies
Set with:
<?php
//Calculate 60 days in the future
//seconds * minutes * hours * days + current time
$inTwoMonths = 60 * 60 * 24 * 60 + time();
setcookie('lastVisit', date("G:i - m/d/y"), $inTwoMonths);
?>
Retrieve with:
$_COOKIE
Our goal: secure login
Secure?
Use PHP to read form, and check the
results against a database
If valid, set variable to ‘true’, otherwise ‘false’
Column Name Type
Null
Primary Key
Extra
user_id
int(8)
No
PK
AUTO
username
varchar(11)
No
password
varchar(32)
No
What is .htaccess
Method for remote web-server control
Support multiple users
A simple text file in a directory
Called .htaccess
.htaccess
Built into Apache
Other servers have other means
Disabled by default
Put file into a directory to make site
settings
Controlled by closest file in the hierarchy
Performance Hit
If htaccess is turned on in Apache then
Apache will look in every directory for an
htaccess file and read it if it is there.
If a file is requested out of a directory
/www/htdocs/example, Apache must look for:
/.htaccess
/www/.htaccess
/www/htdocs/.htaccess
/www/htdocs/example/.htaccess
Lower file directives overrode higher ones
On the other hand …
It does allow users to control their own
sub-directory tree without affecting others
There are other ways to do this but they
require system-level access to Apache—
which you may not want to give to users
who each control their own sub-tree
(website)
Use .htaccess to…
Customize error messages
Password protect sites
Block access by IP addresses
Block rippers and bots
Prevent hot linking (e.g., another site to
embed images from your site)
Error messages
ErrorDocument
ErrorDocument
ErrorDocument
ErrorDocument
ErrorDocument
400
401
403
404
500
/errors/badrequest.html
/errors/authreqd.html
/errors/forbid.html
“Not here <em>bucko</em>!”
/errors/serverx.html
Access control
Modify .htaccess:
AuthUserFile /usr/local/myhome/.htpasswd
AuthGroupFile /dev/null
AuthName EnterPassword
AuthType Basic
require valid-user
Now, create a password file
.htpasswd
Put in a safe location
Username, password pairs
Passwords are encrypted using a hash
Eg:
It210:cwQgdU78tJoCc
See online site for generating passwords
Other commands
Block IPs
order allow,deny
deny from 123.45.6.7
deny from 012.34.5.
allow from all
Block rippers
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT}
RewriteCond %{HTTP_USER_AGENT}
RewriteCond %{HTTP_USER_AGENT}
RewriteCond %{HTTP_USER_AGENT}
RewriteRule ^.* - [F,L]
^WebGo\ IS [OR]
^WebLeacher [OR]
^WebReaper [OR]
^WebSauger
Finally
Block hot links
These steal your intellectual property and your
bandwidth!
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER}
!^http://(www\.)?mydomain.com/.*$ [NC]
RewriteRule \.(gif|jpg|js|css)$ - [F]
