SitePoint Sponsor

User Tag List

Results 1 to 14 of 14
  1. #1
    Founder of Primal Skill Ltd. feketegy's Avatar
    Join Date
    Aug 2006
    Posts
    482
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question How do you secure admin assets?

    Hey, I have a question.

    How do you properly secure admin CSS and JS?

    Channeling the files through PHP would be rather complex and not very optimal.

    Creating a .htaccess file in the directory (ex. admin/css) would mean that the custom authentication using PHP and MySQL would not work, because first you'd have to type in your user name and password for the secure folder (with Apache basic authentication)

    So how do you do it?
    How do you secure those assets?

  2. #2
    Theoretical Physics Student bronze trophy Jake Arkinstall's Avatar
    Join Date
    May 2006
    Location
    Lancaster University, UK
    Posts
    7,062
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    First of all, why would you want to do that?
    Jake Arkinstall
    "Sometimes you don't need to reinvent the wheel;
    Sometimes its enough to make that wheel more rounded"-Molona

  3. #3
    Founder of Primal Skill Ltd. feketegy's Avatar
    Join Date
    Aug 2006
    Posts
    482
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Because i'm doing some AJAX stuff in javascript and I don't want any peeking eyes to see it

    Yes, I know I can make my JS secure and it is secure, but I'm more comfortable if I know that only my admins' browsers download those files.

  4. #4
    Grumpy Minimalist
    Join Date
    Jul 2006
    Location
    Ontario, Canada
    Posts
    424
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If your PHP is doing custom authentication, then the only way to use that custom authentication is by using PHP. Either channel them through PHP or read them inline into your output.

  5. #5
    Founder of Primal Skill Ltd. feketegy's Avatar
    Join Date
    Aug 2006
    Posts
    482
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    OK.

    Is there a best practice of doing this?

  6. #6
    Theoretical Physics Student bronze trophy Jake Arkinstall's Avatar
    Join Date
    May 2006
    Location
    Lancaster University, UK
    Posts
    7,062
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    How I'd do that:

    • Have a .htaccess file:
      Code:
      RewriteEngine On
      RewriteRule ^(.*)$ get.php?file=$1
    • get.php:
      PHP Code:
      <?php
      session_start
      ();
      if( 
      /*check login*/ && /* validate file name */ && file_exists($_GET['file'])){
          include(
      'file.php');
      }
    Jake Arkinstall
    "Sometimes you don't need to reinvent the wheel;
    Sometimes its enough to make that wheel more rounded"-Molona

  7. #7
    Founder of Primal Skill Ltd. feketegy's Avatar
    Join Date
    Aug 2006
    Posts
    482
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    @arkinstall: This creates too much overhead. Opening every javascript and css file then tunneling it through php...

  8. #8
    SitePoint Wizard TheRedDevil's Avatar
    Join Date
    Sep 2004
    Location
    Norway
    Posts
    1,198
    Mentioned
    4 Post(s)
    Tagged
    1 Thread(s)
    There is no need to protect the CSS or the JS scripts.

    The only part you should protect is the pages which receive requests from the JS script. That way you make certain only persons with valid access can use it.

  9. #9
    From space with love silver trophy
    SpacePhoenix's Avatar
    Join Date
    May 2007
    Location
    Poole, UK
    Posts
    5,077
    Mentioned
    103 Post(s)
    Tagged
    0 Thread(s)
    Have you tried user groups with the user authentication, say one user group for admins and another for other members
    Community Team Advisor
    Forum Guidelines: Posting FAQ Signatures FAQ Self Promotion FAQ
    Help the Mods: What's Fluff? Report Fluff/Spam to a Moderator

  10. #10
    SitePoint Wizard
    Join Date
    Mar 2008
    Posts
    1,149
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Are you trying to avoid invoking the PHP interpreter completely, or are you just trying to avoid having your script handle the actual procedure to push the file in question to the browser?

    If you are using Apache, there is a module to let you offload the response handling back to Apache. I don't recall its name off my head right now though, but I know I posted it on here not too long ago.

    EDIT: http://tn123.ath.cx/mod_xsendfile/
    Don't know what the performance cost/benefit is though.

  11. #11
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    I do not secure admin assets, may that be JavaScript, CSS, or images because none of those things contain anything that would compromise the security of my application. If they get paths to some AJAX function big deal, the attacker must first get past the authentication. And it is easy to develop a private token at runtime in PHP for JavaScript to use in its AJAX.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  12. #12
    Founder of Primal Skill Ltd. feketegy's Avatar
    Join Date
    Aug 2006
    Posts
    482
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Interesting stuff...
    I was concerned about AJAX, but I'll guess the server-side authentication for the AJAX php files is enough, with a random token on page load...

  13. #13
    SitePoint Guru
    Join Date
    Jun 2006
    Posts
    638
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Just add some http authentication on the /admin/ folder, and your done.

  14. #14
    Founder of Primal Skill Ltd. feketegy's Avatar
    Join Date
    Aug 2006
    Posts
    482
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    But with http authentication I can't request the files unless I'm signed in to view the folder's content


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •