Password-Protecting Script Subdirectories

Forum Moderators: open

Message Too Old, No Replies

Password-Protecting Script Subdirectories

How to password-protect a subdirectory of scripts from external users/bots

dougmcc1

12:56 am on May 21, 2018 (gmt 0)

Is it possible to password-protect a subdirectory like domain.com/js/ or domain.com/php_scripts/ so that users can't access these, but the webpages on the site still can?

For example, when a user logs in, or sends a message to another user, jquery on these webpages call scripts in the 'php_scripts' folder to execute these actions.

I'd like to prevent access to folders like 'php_scripts' from people (and bots) externally but I haven't found a way that doesn't also cause issues with the actual pages on the site being able to access the files in subdirectories like this as well.

The site uses Apache and WHM/cPanel.

lucy24

2:21 am on May 21, 2018 (gmt 0)

jquery on these webpages call scripts in the 'php_scripts' folder to execute these actions

Does this come through as a GET request in logs, citing the human user's IP? If no, it becomes wonderfully easy to block them. If yes, what server type & version are you on?

dougmcc1

2:37 am on May 21, 2018 (gmt 0)

No, they are POST requests.

I also include() some of the PHP files located in 'php_scripts' in the root webpages as well, if that makes any difference.

lucy24

8:40 pm on May 21, 2018 (gmt 0)

On an Apache server, this is where a RewriteCond looking at %{THE_REQUEST} is useful. It means, in practice, �You can have this file, but only if you (i.e. your browser) didn�t ask for it by name�.

Sometimes it's possible to look at the referer--but, on the one hand, the occasional human browser doesn't send a referer, and on the other hand it's easy for robots to fake.

keyplyr

5:14 am on May 22, 2018 (gmt 0)

Using the scripts and SSI as you are doing, you can't password protect the directories. They need to be left accessible by all, but...

There are ways to block directory browsing, so that nosey users can't view all the files in these directories:

� Put an index page in each directory. Then when a nosey user wants to see what's in there, they will just get the index page where you can display whatever message you like.

� To stop the display of files in a directory, at the top of each directory htaccess file add:

Options -Indexes

(You can actually use both techniques at the same time.)

dougmcc1

2:58 am on May 23, 2018 (gmt 0)

Thanks for the tips! I also read that it might be possible to move the scripts outside of the public_html folder.

But jquery can't access files outside of the public_html folder. Would it be possible to use a server-side script to proxy the jquery request to the php scripts outside of the public_html folder?

keyplyr

3:08 am on May 23, 2018 (gmt 0)

The more you route the script, the longer it will take to execute. I would leave it where it is.

Jonesy

9:03 pm on May 24, 2018 (gmt 0)

Isn't the OP something for which "above Doc Root" would be a solution?