I plan to have a client-side application (not a browser) pass an encrypted
user name and password to a php file for validation, which will return an
xml string if the user is validated.

Obviously I don't want Apache to serve up that php file to any browser or
other app that asks for it. How do I prevent that from happening?

Alternatively, is there a better method to accomplish what I'm trying to do?

On Sun, 27 Jan 2008 14:17:15 -0800, "Paul Pedersen"
<nospam@no.spam> wrote:

> I plan to have a client-side application (not a browser) pass an encrypted
> user name and password to a php file for validation, which will return an
> xml string if the user is validated.
>
> Obviously I don't want Apache to serve up that php file to any browser or
> other app that asks for it. How do I prevent that from happening?

First off all, apache doesn't "serve up" .php if you
configure it to run the script. It just runs the php
script and the script decides what the response should be.

You can't prevent a browser or other app to try to do the
same as your app. It's apache, so your app will send a
request like:
GET /validate.php?u=encrypteduid&p=encryptedpsw HTTP/1.1
or
POST /validate.php HTTP/1.1
with the encrypted userID/password in the request header.
Any socket capable program can imitate that.

if the request is well-formed you can't prevent Apache
from triggering the .php script, regardless the client
which composed it.

Just a few possibilities:

1) You can obfuscate by using an uncommon port (not 80 or
8080).

2) You can obfuscate by sending an uncommon query string
GET /validate.php?somestring_with_encrypted_uid_and_psw

3) You can obfuscate by leaving out the .php extension and
using the trick in
http://richardlynch.blogspot.com/200...sposition.html
4) Your php script can refuse to answer invalid requests,
either by sending nothing or sending a 403 response and
disconnecting.

4) Require a valid client certificate.

6) A combination of 1) thru 5)

7) Of course your encryption is perfect and your script
will only send the .xml file if the userID and password
are correct, so what do you worry about?

> Alternatively, is there a better method to accomplish
> what I'm trying to do?

It will have been done before, but I don't know any
examples.

HTH
--
( Kees
)
c[_] Se cio` che dici non offende nessuno, vuol
dire che non hai detto nulla. (Oscar Wilde) (#94)

Thanks for your responses. All good suggestions.

But I don't think my original question got answered.



> First off all, apache doesn't "serve up" .php if you
> configure it to run the script.

Perhaps that's what I was asking for. How?



> You can't prevent a browser or other app to try to do the
> same as your app.

I don't mind that. If the request doesn't validate, nothing significant will
be returned.

What I'm concerned about is someone being able to read the php file itself.

What's to prevent someone from, for instance, using something like
URLDownloadToFile to retrieve the file:
"http://www.mysite.com/loginvalidation.php"?

Paul Pedersen wrote:
> Thanks for your responses. All good suggestions.
>
> But I don't think my original question got answered.
>
>
>
>> First off all, apache doesn't "serve up" .php if you
>> configure it to run the script.
>
> Perhaps that's what I was asking for. How?
>
>
>
>> You can't prevent a browser or other app to try to do the
>> same as your app.
>
> I don't mind that. If the request doesn't validate, nothing significant will
> be returned.
>
> What I'm concerned about is someone being able to read the php file itself.
>
> What's to prevent someone from, for instance, using something like
> URLDownloadToFile to retrieve the file:
> "http://www.mysite.com/loginvalidation.php"?
>
php executes on the server side, and is never visible to the client. All
that is visible to the client is whatever the php file returns when it
executes.

Except if course if your security has been breached, and an intruder is
hacking your site.

Posted Via Usenet.com Premium Usenet Newsgroup Services
----------------------------------------------------------
** SPEED ** RETENTION ** COMPLETION ** ANONYMITY **
----------------------------------------------------------
http://www.usenet.com

Paul Pedersen wrote:
> Thanks for your responses. All good suggestions.
>
> But I don't think my original question got answered.
>
>
>
>> First off all, apache doesn't "serve up" .php if you
>> configure it to run the script.
>
> Perhaps that's what I was asking for. How?
>
>
>
>> You can't prevent a browser or other app to try to do the
>> same as your app.
>
> I don't mind that. If the request doesn't validate, nothing significant will
> be returned.
>
> What I'm concerned about is someone being able to read the php file itself.
>
> What's to prevent someone from, for instance, using something like
> URLDownloadToFile to retrieve the file:
> "http://www.mysite.com/loginvalidation.php"?
>

You put your scripts in a directory that is outside of your DocumentRoot
and use a scriptalias directive. You should never put scripts under
your DocumentRoot.

Jim

"William Colls" <william@procomsys.com> wrote in message
news:479E5824.2080602@procomsys.com...

>> What's to prevent someone from, for instance, using something like
>> URLDownloadToFile to retrieve the file:
>> "http://www.mysite.com/loginvalidation.php"?
>>
> php executes on the server side, and is never visible to the client. All
> that is visible to the client is whatever the php file returns when it
> executes.
>

I have used exactly that method to retrieve php files from some sites.

"Jim Hayter" <see.reply.to@nowhere.invalid> wrote in message
news:13psoo8lc427cc0@news.supernews.com...

>> What's to prevent someone from, for instance, using something like
>> URLDownloadToFile to retrieve the file:
>> "http://www.mysite.com/loginvalidation.php"?
>>
>
> You put your scripts in a directory that is outside of your DocumentRoot
> and use a scriptalias directive. You should never put scripts under your
> DocumentRoot.
>
> Jim

Now that's starting to make sense. Thanks.

But how do I do that?

Especially if my web site is hosted on a shared server somewhere in
cyberspace, how do I put files "outside DocumentRoot"?

"Paul Pedersen" <nospam@no.spam> wrote in message
news:PMmdnb5lgLdrwwLanZ2dnUVZ_uevnZ2d@comcast.com. ..
>
> "Jim Hayter" <see.reply.to@nowhere.invalid> wrote in message
> news:13psoo8lc427cc0@news.supernews.com...
>
>>> What's to prevent someone from, for instance, using something like
>>> URLDownloadToFile to retrieve the file:
>>> "http://www.mysite.com/loginvalidation.php"?
>>>
>>
>> You put your scripts in a directory that is outside of your DocumentRoot
>> and use a scriptalias directive. You should never put scripts under your
>> DocumentRoot.
>>
>> Jim
>
> Now that's starting to make sense. Thanks.
>
> But how do I do that?
>
> Especially if my web site is hosted on a shared server somewhere in
> cyberspace, how do I put files "outside DocumentRoot"?


I found the answer, for anyone else who has this problem. Sign in to your
hosting account and find a a place that will allow you to set file and
folder permissions.

I still haven't found how to do that on the Apache server on my local
machine, but I'm sure there's a way.

Paul Pedersen wrote:

<snip>

>> But how do I do that?
>>
>> Especially if my web site is hosted on a shared server somewhere in
>> cyberspace, how do I put files "outside DocumentRoot"?
>
>
> I found the answer, for anyone else who has this problem. Sign in to your
> hosting account and find a a place that will allow you to set file and
> folder permissions.
>
> I still haven't found how to do that on the Apache server on my local
> machine, but I'm sure there's a way.
>

That is not placing files outside documentroot.
You are describing some system you havin't even mentioned.
Placinf file outside documentroot mean that you put them in a directory
that is simply not under your documentroot.
eg: If the documentroot for your webapp is:
/home/paul/public_html/
you place them for example here:
/home/paul/mydir/

Bottomline is nobody can type something like this:
http://www.example.com/~paul/secretfile
and access the file.

Regards,
Erwin Moller

"Erwin Moller"
<Since_humans_read_this_I_am_spammed_too_much@spam yourself.com> wrote in
message news:47a6ecac$0$85786$e4fe514c@news.xs4all.nl...
> Paul Pedersen wrote:
>
> <snip>
>
>>> But how do I do that?
>>>
>>> Especially if my web site is hosted on a shared server somewhere in
>>> cyberspace, how do I put files "outside DocumentRoot"?
>>
>>
>> I found the answer, for anyone else who has this problem. Sign in to your
>> hosting account and find a a place that will allow you to set file and
>> folder permissions.
>>
>> I still haven't found how to do that on the Apache server on my local
>> machine, but I'm sure there's a way.
>>
>
> That is not placing files outside documentroot.
> You are describing some system you havin't even mentioned.
> Placinf file outside documentroot mean that you put them in a directory
> that is simply not under your documentroot.
> eg: If the documentroot for your webapp is:
> /home/paul/public_html/
> you place them for example here:
> /home/paul/mydir/
>
> Bottomline is nobody can type something like this:
> http://www.example.com/~paul/secretfile
> and access the file.


Yes, that's what I meant.

Although I am running Apache locally for test and development purposes, that
is not where the site is hosted. It's hosted on a remote shared server
running Apache, and I don't think I have a way to put a directory "outside"
documentroot in that situation.

I know that's not strictly an Apache issue, but if you have an answer, I'd
be glad to hear it.

Paul Pedersen wrote:
> "Erwin Moller"
> <Since_humans_read_this_I_am_spammed_too_much@spam yourself.com> wrote in
> message news:47a6ecac$0$85786$e4fe514c@news.xs4all.nl...
>> Paul Pedersen wrote:
>>
>> <snip>
>>
>>>> But how do I do that?
>>>>
>>>> Especially if my web site is hosted on a shared server somewhere in
>>>> cyberspace, how do I put files "outside DocumentRoot"?
>>>
>>> I found the answer, for anyone else who has this problem. Sign in to your
>>> hosting account and find a a place that will allow you to set file and
>>> folder permissions.
>>>
>>> I still haven't found how to do that on the Apache server on my local
>>> machine, but I'm sure there's a way.
>>>
>> That is not placing files outside documentroot.
>> You are describing some system you havin't even mentioned.
>> Placinf file outside documentroot mean that you put them in a directory
>> that is simply not under your documentroot.
>> eg: If the documentroot for your webapp is:
>> /home/paul/public_html/
>> you place them for example here:
>> /home/paul/mydir/
>>
>> Bottomline is nobody can type something like this:
>> http://www.example.com/~paul/secretfile
>> and access the file.
>
>
> Yes, that's what I meant.
>
> Although I am running Apache locally for test and development purposes, that
> is not where the site is hosted. It's hosted on a remote shared server
> running Apache, and I don't think I have a way to put a directory "outside"
> documentroot in that situation.
>
> I know that's not strictly an Apache issue, but if you have an answer, I'd
> be glad to hear it.
>

That depends on the configuration at the webhost. I use one where I have
access via ftp & ssh to place files outside documentroot.
ftp & ssh into $HOME, documentroot is $HOME/public_html

--
Andy Ruddock
------------
andy_DOT_ruddock_AT_gmail_DOT_com (GPG Key ID 0x74F41E8F)

"Andy Ruddock" <andy.ruddock+news@gmail.com> wrote in message
news:47a790de$1@proxy.mimer.no...
>>> Bottomline is nobody can type something like this:
>>> http://www.example.com/~paul/secretfile
>>> and access the file.
>>
>>
>> Yes, that's what I meant.
>>
>> Although I am running Apache locally for test and development purposes,
>> that
>> is not where the site is hosted. It's hosted on a remote shared server
>> running Apache, and I don't think I have a way to put a directory
>> "outside"
>> documentroot in that situation.
>>
>> I know that's not strictly an Apache issue, but if you have an answer,
>> I'd
>> be glad to hear it.
>>
>
> That depends on the configuration at the webhost. I use one where I have
> access via ftp & ssh to place files outside documentroot.
> ftp & ssh into $HOME, documentroot is $HOME/public_html
>

With mine, it "appears" that the main directory IS documentroot and I cannot
change it.
Instead, I can create directories within that, and prevent Apache from
making those accessible except by my own scripts.

Is that possibly the case, or am I misunderstanding something? If it
matters, I think they are using Apache 1.x.

Paul Pedersen wrote:
> "Andy Ruddock" <andy.ruddock+news@gmail.com> wrote in message
> news:47a790de$1@proxy.mimer.no...
>>>> Bottomline is nobody can type something like this:
>>>> http://www.example.com/~paul/secretfile
>>>> and access the file.
>>>
>>> Yes, that's what I meant.
>>>
>>> Although I am running Apache locally for test and development purposes,
>>> that
>>> is not where the site is hosted. It's hosted on a remote shared server
>>> running Apache, and I don't think I have a way to put a directory
>>> "outside"
>>> documentroot in that situation.
>>>
>>> I know that's not strictly an Apache issue, but if you have an answer,
>>> I'd
>>> be glad to hear it.
>>>
>> That depends on the configuration at the webhost. I use one where I have
>> access via ftp & ssh to place files outside documentroot.
>> ftp & ssh into $HOME, documentroot is $HOME/public_html
>>
>
> With mine, it "appears" that the main directory IS documentroot and I cannot
> change it.
> Instead, I can create directories within that, and prevent Apache from
> making those accessible except by my own scripts.
>
> Is that possibly the case, or am I misunderstanding something? If it
> matters, I think they are using Apache 1.x.
>

It's quite possible that your hoster has set up apache in this fashion,
in which case you'll probably have to use .htaccess to prevent the files
simply being delivered in response to a direct request via http.
Again, what you can achieve in this way is dependent upon the
configuration at your webhost.

--
Andy Ruddock
------------
andy_DOT_ruddock_AT_gmail_DOT_com (GPG Key ID 0x74F41E8F)

"Andy Ruddock" <andy.ruddock+news@gmail.com> wrote in message
news:47a88a5e$1@proxy.mimer.no...
> It's quite possible that your hoster has set up apache in this fashion,
> in which case you'll probably have to use .htaccess to prevent the files
> simply being delivered in response to a direct request via http.
> Again, what you can achieve in this way is dependent upon the
> configuration at your webhost.
>
> --
> Andy Ruddock
> ------------
> andy_DOT_ruddock_AT_gmail_DOT_com (GPG Key ID 0x74F41E8F)


That's ful information. Thanks!