We have html files in the folder in WordPress application. we want to restrict html files based wordpress user login, how can we restrict html file access?
The htaccess password mechanism is not good enough because user already logged into WordPress again entering credentials in a popup is unwanted.
Any pointers to implementation?
This is a solution i used for protected files in Wordpress. The files resided in a specific folder, access was denied for all users in that folder via .htaccess. access-control purely by wordpress user status.
serve.php :
<?php
ob_start();
header('Content-Type: html');
header("Expires: 0");
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
header("Cache-Control: no-store, no-cache, must-revalidate");
header("Cache-Control: post-check=0, pre-check=0", false);
header("Pragma: no-cache");
//this will enable the basic functionality to check for user status
$wpload=$_SERVER['DOCUMENT_ROOT'] . '/wp-load.php';
define( 'WP_USE_THEMES', false );
Include_once($wpload);
$loggedin= is_user_logged_in();
//here you can also do more extensive checks. eg: each user has only access to his own folder or files
if(!$loggedin) exit;
$file= sanitize_text_field($_GET['file']);
$file= realpath(dirname(__FILE__) . '/../../../uploads/myplugin/').'/'.$file;
ob_end_clean();
readfile($file);
?>
The link to get the file would then look something like this:
https://mydomain/serve.php?file=my-sample.html
This works very well. One disadvantage is, that browser-caching is not working with this method and on serverside the output is also slower. It shouldn't be a problem with html files. i used it to show images, added maybe 500ms delay.
so, basically, serve.php is a standalone-file that loads the basic wordpress files and examines a parameter passed in the querystring.
Related
I'm facing this issue lately, I have forwarded my domain to one of the files which are hosted on my GoDaddy shared hosting. However, whenever I hit the domain name in the browser it leads to the respective file (.html ) along with the junk characters preceding.
Example:
www.domainname.info
Leads to:
https://www.mydomainname.in/coffee.html/NjSmZ/KiKgZ/
Result:
Error 404 page not found.
Haven't changed any code; it's a sudden behavior.
UPDATE (more info):
The NjSmZ/KiKgZ/ are the junk characters in the link. Forwarding is made through the GoDaddy domain forwarder itself. No external coding is done for forwarding.
www.Aitb.in is the domain which is been forwarded to advity.in/adarsha.html.
While I know not about how GoDaddy does its domain forwards internally, it does not seem to be a simple DNS CNAME as nothing shows on the current domain's lookup.
While playing around, looking at the forwarded domain's response I see it delivers a 301 (moved permanently) http response. The response replaces the chosen domain with the new one, and keeps the path part of the URL intact.
Considering domain.a is the forwarded domain and domain.b is the new domain, that means:
http://domain.a/ => http://domain.b/
http://domain.a/contact.html => http://domain.b/contact.html
http://domain.a/a/long/path/ => http://domain.b/a/long/path/
But in your case, you are forwarding to more than just a domain... domain.b is more like domain.b/coffee.html , following the same rule, this means:
http://domain.a/ => http://domain.b/coffee.html
http://domain.a/contact.html => http://domain.b/coffee.html/contact.html
http://domain.a/a/long/path/ => http://domain.b/coffee.html/a/long/path/
So, my suggestion here is, either use a better landing to url_rewrite the redirected paths to the correct one. Or, if you cannot you could try to add a ? or # at the end of your URL. This is pure speculation, but if the rewrite has no other hidden rules, this would give something like the following, which will make the appropriate request and "hide" the trash part.
http://domain.a/ => http://domain.b/coffee.html?
http://domain.a/contact.html => http://domain.b/coffee.html?/contact.html
http://domain.a/a/long/path/ => http://domain.b/coffee.html?/a/long/path/
The "junk characters" are certainly coming from GoDaddy and not from the original request. Domain Forwarding is just what GoDaddy calls their service that redirects web requests using a 301 or 302 redirect (or an iframe they call "masking"). The issue is - For whatever reason the GoDaddy web servers serving the redirects often append some "random" characters (as a subfolder) after the domain. In my experience the subfolder always appear directly after the domain, and before any path that may have been part of the original request. So, as Salketer says it is just a hack. But there is still an issue on GoDaddy's side'
Also, if you do use the hack and you use Google Analytics on your site, you may want to add something like ?x= rather than just ?. Then you can exclude the x parameter in Analytics and you won't end up with a hundred different URLs for you homepage.
I had this problem occur on several different domains controled by GoDaddy. I attempted several times to contact GoDaddy support to resolve the issue with no luck. Ultimately I decided to solve the problem myself because GoDaddy seems clueless to their problem.
Here is my solution:
Add this PHP code to the top of your 404 error page. For WordPress, add this your theme's 404.php file:
<?php
/* GoDaddy 404 Redirects FIX - by Daniel Chase - https://riseofweb.com */
$currURL = $_SERVER['REQUEST_URI'];
$CheckRedirectError1 = substr($currURL, -6);
$CheckRedirectError2 = substr($currURL, 0, 7);
$CheckRedirectError = false;
if (preg_match("/^[a-zA-Z]{5}\/$/",$CheckRedirectError1)){
$CheckRedirectError = $CheckRedirectError1;
}else if (preg_match("/^\/[a-zA-Z]{5}\/$/",$CheckRedirectError2)){
$CheckRedirectError = substr($CheckRedirectError2, 1);
}
if($CheckRedirectError){
$protocol = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off' || $_SERVER['SERVER_PORT'] == 443) ? "https://" : "http://";
$redirectTo = str_replace($CheckRedirectError, '', $currURL);
header("HTTP/1.1 301 Moved Permanently");
header("Location: " . $protocol . $_SERVER['HTTP_HOST'] . $redirectTo);
exit();
}
?>
The script checks for the random characters and removes them, and then redirects to the proper page. You may need to add some exceptions or modify the script to fit your needs.
Thank you,
I ended up solving this issue by adding "?" at the end of the domain forwarding link
example: mydomain.com/main/foo.html?
or
example: mydomain.com/main/foo.html#
I am trying to figure out how to make a simple html code so that whenever anyone on the page types anything into the provided text box and hits submit, it adds that written text to an already existing .txt file on my server.
UPDATE 2/20/14 9:29AM: Well that's unfortunate. I kind of figured I required a .php but sadly my wepbage is hosted through homestead and they do not have .php functionality. Was just hoping there was a workaround. Thanks for the responses.
If your server can run php then the following page can be requested when the user clicks submit. (using post method)
<?php
$in = $_POST['name'];
$file = 'names.txt';
// Open the file to get existing content
$current = file_get_contents($file);
// Append a new person to the file
$current .= $in;
// Write the contents back to the file
file_put_contents($file, $current);
?>
You would have to use PHP to do this. Make the form action on your form link to a PHP script and inside have something like this.
<?php
$file = 'test.txt';
$currentText = file_get_contents($file);
$currentText .= $_POST['text'];
file_put_contents($file, $currentText);
?>
I'm creating third party cookie with <img src="http://example.com/test.php" />
test.php:
if($_GET['r']) {
header('Content-type: image/gif');
// echo transparent 1x1 pixel
exit;
} else {
setcookie('name', md5(time()), time()+60*60*24*30, '/');
$url = 'http://example.com/test.php?r=1';
header('Location: '.$url);
exit;
}
This code creates third-party cookie. Is there any method to read created cookie through javascript from a different domain than example.com?
No. JavaScript only has access to the cookies for the current document, not for any of its dependencies.
If this wasn't the case then authors could load an image from any website you might have an account on, read the cookie with JavaScript, Ajax it to their server, and then have a copy of your current login token for that site. It would be a huge security hole.
I'm using the following code to log users of an application out:
session_start();
setcookie (session_id(), "", time() - 3600);
session_destroy();
session_write_close();
header("Location: index.php");
Afterwards they are sent back to the main page (index.php) of the application. To test they've been successfully logged out I return to another page on the menu which has code to check it the session is active or not. If the session is active, it gets the username and gives them a little hello with the choice to logout.
After logging out initially the main page (index.php) doesn't show the welcome message above, but clicking on a page I had visited logged in before does, but the user isn't really logged in. If I hit F5, the logged in message is cleared and the content they see as a logged in user isn't available. So there appears to be some caching.
I've added the following headers to each page to try force the browser to not cache content:
header("Expires: Sat, 26 Jul 1997 05:00:00 GMT"); // Date in the past
header('Cache-Control: no-store, no-cache, must-revalidate');
header('Cache-Control: post-check=0, pre-check=0', false);
header('Pragma: no-cache');
session_start();
But no luck :(
Any ideas? Thanks!
I had a similar problem with IE7 allowing users to "browse" a website from which they had already been logged out.
Have a look at:
http://php.net/manual/en/function.session-cache-limiter.php
I ended up with the following (for me) working combination:
session_cache_limiter ('private_no_expire, must-revalidate');
I believe you are destroying the session alright, but you still have a client side cookie which you set which is not being destroyed.
Cookies are different then sessions I believe.
Try `unset()` or `session_unset()` function to unset the individual `session variables` rather than only `session_destroy()`. This way is more efficient i guess.
Please browse the following link for detail information
http://php.net/manual/en/function.session-unset.php
Check session by $_SESSION['yourSessionName'] OR print_r($_SESSION);
Is it possible to use a server side include to access files that are outside of the server?
If not what are some other options to do this?
Use cURL to get data outside of the domain. If you want to then execute the data you receive, go ahead and eval() it. But, be forewarned that this will get the 'output' of the page. Meaning if it is an executed page like a '.php' page, you will get the data that comes out as a result of it being processed.
<?php
// create a new cURL resource
$ch = curl_init();
// set URL and other appropriate options
curl_setopt($ch, CURLOPT_URL, "http://www.example.com/");
curl_setopt($ch, CURLOPT_HEADER, 0);
// grab URL and pass it to the browser
curl_exec($ch);
// close cURL resource, and free up system resources
curl_close($ch);
?>
The same is true for file_get_contents(), and fopen()
If you wanted to grab the 'actual' contents of the file, you would want to set up a proxy of sorts on the other server. (You can't do it on your server because then it would be a security flaw in how server-side-scripting works).
<?php
// Read the requested file out
readfile($_GET['file']);
That will give you the contents of any file you request:
http://test.com/handler.php?file=handler.php
But, if anyone else finds it, it could be dangerous.
You don't mention the server software but I'll assume Apache, where SSI is provided by the mod_include module. The include element does not allow remote files. However, you have exec, which allows to execute any external tool; you can use it to call wget or any other command of your choice.
However, it might not be so complicate. If you can mount the remote directory in the local system, you can create a plain symlink and use a regular include.
Or, as already suggested, PHP is really simple to use.
You can do something like file_get_contents() or fopen() to do this in php, e.g.
<?php
echo file_get_contents('http://www.example.com/include');
?>
Yes, nginx's server side includes can use any full url eg:
<!--# include virtual="http://www.stackoverflow.com/" -->