duancheng7743 2014-07-07 18:54
浏览 37

如何保护管理员文件夹php

I am looking to find a way I can secure admin area, especially the folder itself from outside access (These include folders with images and css). I have read a lot of suggestions but they all feel rather a compromise or work around than a bullet proof method or I am not understanding which is best for security and hidden from outside world, I want to be the only one that knows about it or access it. Hoping someone can shed some light what they would use, when they want the area completely hidden from outside world, whilst still accessible to you.

Some of the methods I have come across involve:

  1. Moving folder outside of root
  2. Using Htaccess Deny all. (also means I can't login unless I apply a static IP address which I do not have)
  3. Another way I thought of could be to use session variable to store admin, recognize and grant access based on session ID. (This does mean all other css files and image folders are viewable).
  4. Adding an index page in the folder which I see alot of sites do.

I currently have my login script to redirect me to my admin area, so is there anyway for the whole folder to recognize it's me and grant access and serve files on if a logged in admin php file is requesting it?, if not to decline access including images and css etc?

Can't figure out how best to protect this area? Is using session a secure way of identifying an admin?

  • 写回答

3条回答 默认 最新

  • drpogkqqi536984960 2014-07-07 19:01
    关注

    The easiest way to ensure content is not exposed to the web is to place it above the site folder in your directory structure.

    so for example in your Apache configuration mount the site at

    /var/www/sites/site/content/

    and place the restricted content at

    /var/www/sites/site/

    that way the content will not be exposed but php can still read it if required.

    Obviously this will not stop users from seeing what is in your css files if php reads them and echoes them out but I dont see why a css file should need to be secure

    Edit

    Supposing you have a folder on your server at /var/www/sites/site/content/some_folder

    and you enter www.yoursite.com/some_folder into a browser, assuming you have indexes open in your site you will see a list of files in some_folder

    But how can you get to /var/www/sites/site/ from a web brower ? ... you can't!!

    but what you can do is some thing like this:

    And this would be a php file inside the main site folder (visible to public)

    <?php
    
    session_start();
    if(isset($_SESSION['admin_logged_in'])){
       include '/var/www/sites/site/secret_content.php';
    }
    
    评论

报告相同问题?

悬赏问题

  • ¥15 本题的答案是不是有问题
  • ¥15 关于#r语言#的问题:(svydesign)为什么在一个大的数据集中抽取了一个小数据集
  • ¥15 C++使用Gunplot
  • ¥15 这个电路是如何实现路灯控制器的,原理是什么,怎么求解灯亮起后熄灭的时间如图?
  • ¥15 matlab数字图像处理频率域滤波
  • ¥15 在abaqus做了二维正交切削模型,给刀具添加了超声振动条件后输出切削力为什么比普通切削增大这么多
  • ¥15 ELGamal和paillier计算效率谁快?
  • ¥15 蓝桥杯单片机第十三届第一场,整点继电器吸合,5s后断开出现了问题
  • ¥15 file converter 转换格式失败 报错 Error marking filters as finished,如何解决?
  • ¥15 Arcgis相交分析无法绘制一个或多个图形