Welcome to WebmasterWorld Guest from 54.196.42.8

Forum Moderators: open

Password-Protecting Script Subdirectories

How to password-protect a subdirectory of scripts from external users/bots

     
12:56 am on May 21, 2018 (gmt 0)

Preferred Member

10+ Year Member

joined:Apr 28, 2003
posts: 489
votes: 1


Is it possible to password-protect a subdirectory like domain.com/js/ or domain.com/php_scripts/ so that users can't access these, but the webpages on the site still can?

For example, when a user logs in, or sends a message to another user, jquery on these webpages call scripts in the 'php_scripts' folder to execute these actions.

I'd like to prevent access to folders like 'php_scripts' from people (and bots) externally but I haven't found a way that doesn't also cause issues with the actual pages on the site being able to access the files in subdirectories like this as well.

The site uses Apache and WHM/cPanel.
2:21 am on May 21, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15028
votes: 665


jquery on these webpages call scripts in the 'php_scripts' folder to execute these actions
Does this come through as a GET request in logs, citing the human user's IP? If no, it becomes wonderfully easy to block them. If yes, what server type & version are you on?
2:37 am on May 21, 2018 (gmt 0)

Preferred Member

10+ Year Member

joined:Apr 28, 2003
posts: 489
votes: 1


No, they are POST requests.

I also include() some of the PHP files located in 'php_scripts' in the root webpages as well, if that makes any difference.
8:40 pm on May 21, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15028
votes: 665


On an Apache server, this is where a RewriteCond looking at %{THE_REQUEST} is useful. It means, in practice, “You can have this file, but only if you (i.e. your browser) didn’t ask for it by name”.

Sometimes it's possible to look at the referer--but, on the one hand, the occasional human browser doesn't send a referer, and on the other hand it's easy for robots to fake.
5:14 am on May 22, 2018 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12334
votes: 805


Using the scripts and SSI as you are doing, you can't password protect the directories. They need to be left accessible by all, but...

There are ways to block directory browsing, so that nosey users can't view all the files in these directories:

• Put an index page in each directory. Then when a nosey user wants to see what's in there, they will just get the index page where you can display whatever message you like.

• To stop the display of files in a directory, at the top of each directory htaccess file add:
Options -Indexes
(You can actually use both techniques at the same time.)
2:58 am on May 23, 2018 (gmt 0)

Preferred Member

10+ Year Member

joined:Apr 28, 2003
posts: 489
votes: 1


Thanks for the tips! I also read that it might be possible to move the scripts outside of the public_html folder.

But jquery can't access files outside of the public_html folder. Would it be possible to use a server-side script to proxy the jquery request to the php scripts outside of the public_html folder?
3:08 am on May 23, 2018 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12334
votes: 805


The more you route the script, the longer it will take to execute. I would leave it where it is.
9:03 pm on May 24, 2018 (gmt 0)

Junior Member from US 

5+ Year Member

joined:Dec 23, 2008
posts:157
votes: 5


Isn't the OP something for which "above Doc Root" would be a solution?