I would like to deny access to the admin site of a webpage created with CodeIgniter.
This is the link
www.mydomain.com/admin
I created an htaccess file with following code
Order Deny,Allow
Deny from all
Allow from xx.xxx.xxx.xxx
I put the htaccess file in application/view/admin
Obviously it does not work.
What is the correct way to deny a specific folder in a CodeIgniter project?
Edit:
Why not just add the ip check in the Admin class constructor?
public function __construct()
{
parent::__construct();
if ($this->input->ip_address() != 'xx.xxx.xxx.xxx')
{
show_404();
}
}
Related
I have a problem, my website is running on Laravel 5, I have set up SSL cert and configured it using Load Balancer in AWS. Set up listeners for HTTP(80) and HTTPS(443). SSL checker seems fine. I can access https://www.mydomainname.com and it directs to a secure page.
However everytime I enter www.mydomainname.com on any browser it leads to a not secure page, when I navigate to another page like mydomainname.com/business its secured.
My AppServiceProvider conf:
public function boot()
{
if($this->app->environment('production')) {
\URL::forceScheme('https');
}
}
\URL::forceScheme('https'); will not redirect to https, it is used to build links with https inside app.
If you want redirect in Laravel you can use middleware:
public function handle($request, Closure $next) {
if (!$request->secure()) {
return redirect()->secure($request->getRequestUri());
}
return $next($request);
}
Of course, the best way is to use redirect with apache/nginx.
I have used several codes for restricting direct access of controller page from url, but its not happening.
The below code in controller page is not preventing from direct url access. Is there any proper way to prevent from direct access from url?
<?php
defined('BASEPATH') OR exit('No direct script access allowed');
class Cont extends CI_Controller
{
public function __construct()
{
parent ::__construct();
$this->load->model('test');
}
public function handle($function){
if($function=='abcd'){
$this->load->view('testpage');
}
}
}
You can use HTTP_REFERER which holds the information(address) about the page that referred you to the current page, if it's empty you can redirect it to your 404 page. Also, you should always check for $_SESSION and redirect if not set.
if( !isset($_SERVER['HTTP_REFERER'])) {
$this->load->helper('url');
redirect('/page404');
}
Alternatively, you can also use HTTP_X_FORWARDED_FOR, but it won't help you in AJAX request. Read more about it here and here.
You can use _remap() function inside your Controller, where we can define where to route the method.
The following code blocks all method call to that controller.
function _remap($method)
{
return false;
}
See the DOC here
From documentation
For the best security, both the system and any application folders should be placed above web root so that they are not directly accessible via a browser. By default, .htaccess files are included in each folder to help prevent direct access, but it is best to remove them from public access entirely in case the web server configuration changes or doesn’t abide by the .htaccess.
If you want to prevent direct access to specific methods then you can try
public function _handle(){ //adding _ before the method name
}
Or
private function handle(){ //private functions cannot access by url
}
I have on my project route groups for 4 subdomains, on one subdomain I set 'middleware' => 'auth', it works, but if guest try to access this protected subdomain he is redirected to sub.project.com/login and not to project.com/login, where can I set it correctly?
You can try to handle the redirect within the middleware
public function handle($request, Closure $next, $guard = null)
{
if ($request->getPort() != 80 || Auth::guard($guard)->guest()) {
//to account for json or ajax requests
if ($request->ajax() || $request->wantsJson())
{
return response('Unauthorized.', 401);
}
return redirect('auth/login')->withErrors(['must login']);
}
return $next($request);
}
By default it shouldn't be a problem. On by default I mean, you had to explicitly tell Laravel where to redirect, if you didn't do so (didn't alter middleware logic in any way), there are 3 things that come in play:
Your .htaccess (or httpd.conf) is messed up.
Certificate issues. Do you have SSL enabled on the login page? If the website config file points to a cert issued for not the same domain, it causes such problems.
config/app.php includes the wrong domain
(It's a stupid question on my part, but could you please confirm that it redirects to and not renders the content available on that subdomain? To exclude some possibilities.)
Just recently upgraded from Code Igniter 2.2 to Code Igniter 3.
Website is plaster.tv. The homepage works however any other URL is routed to this default_controller even though other routes are specified:
/application/config/routes.php
$route['default_controller'] = "home";
$route['404_override'] = '';
$route['translate_uri_dashes'] = FALSE;
$route['login'] = 'login';
$route['signup'] = 'signup';
$route['main'] = 'main';
$route['sendResetEmail'] = 'sendResetEmail';
$route['resetPassword'] = 'resetPassword';
Internal pages which is handled by other controllers, e.g. plaster.tv/signup doesn't work, but plaster.tv/?c=signup works.
/application/config/config.php:
$config['base_url'] = 'http://www.plaster.tv/';
$config['index_page'] = '';
$config['uri_protocol'] = 'REQUEST_URI'; //worked using AUTO in CI 2.2
$config['url_suffix'] = '';
$config['subclass_prefix'] = 'MY_';
$config['composer_autoload'] = FALSE;
$config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-';
$config['allow_get_array'] = TRUE;
$config['enable_query_strings'] = TRUE;
$config['controller_trigger'] = 'c';
$config['function_trigger'] = 'm';
$config['directory_trigger'] = 'd';
/application/controllers/Home.php:
<?php if (!defined('BASEPATH')) {
exit('No direct script access allowed');
}
class Home extends CI_Controller
{
public function __construct()
{
parent::__construct();
$this->load->library('form_validation');
}
public function index()
{
//... this part works
}
}
/application/controllers/Signup.php:
<?php if (!defined('BASEPATH')) {
exit('No direct script access allowed');
}
class Signup extends CI_Controller
{
public function __construct()
{
parent::__construct();
}
public function index()
{
//... this class is never called when the URL is http://www.plaster.tv/signup but is called when the URL is http://www.plaster.tv/?c=signup
}
}
Hope someone could help me figure this out.
Same situation here after changing CI2 to CI3. All controllers including non-existent controller routed to the default controller.
To solve this, change $config['enable_query_strings'] = TRUE; to FALSE.
When you set $config['enable_query_strings'] = FALSE you force CodeIgniter (CI) into using query strings. That is why plaster.tv/?c=signup works but plaster.tv/signup does not.
To browse to a controller it is one way or the other, you cannot use both. If you do not want to use query strings to call a controller then you need
$config['enable_query_strings'] = TRUE;
This setting does not mean that you cannot append a query string to a URL used with CI. Any such query items will be accessible in controllers by using $this->input->get('some_key'); so long as $config['allow_get_array'] = TRUE;
Not related to your issue but you might like to know: The following lines are not needed and should be deleted
$route['login'] = 'login';
$route['signup'] = 'signup';
$route['main'] = 'main';
$route['sendResetEmail'] = 'sendResetEmail';
$route['resetPassword'] = 'resetPassword';
You only need to define routes if you want to remap CodeIgniter's normal URI relationship between a URL string and its corresponding controller/method.
Any of the above will can be browsed to with http://plaster.tv/name_of_controller without the need of any settings in routes.php - assuming there is an index() method in the requested controller.
I had the same issue and tried pretty much everything I'd read online bearing in mind I've developed many sites with Codeigniter before. But the one thing that I did change this time round was my machine and XAMPP set up. I found the issue was due to the configuration in XAMPP itself. The virtual host file wasn't configured correctly and although the default controller was working, anything else wouldn't.
What I did to rectify this was to ensure the follow lines were added to the httpd-vhosts.conf file in XAMPP:-
<VirtualHost *:80>
DocumentRoot "C:/xampp/htdocs"
ServerName localhost
<Directory "C:/xampp/htdocs">
Options Indexes FollowSymLinks Includes ExecCGI
AllowOverride All
Order allow,deny
Allow from all
</Directory>
And then each of my virtual hosts is set with the following tags:-
<VirtualHost *:80>
DocumentRoot "D:/Development Websites/testsite1/httpdocs"
ServerName testsite1.com
ErrorLog "logs/testsite1-error-log.log"
<Directory "D:/Development Websites/testsite1/httpdocs">
Options Indexes FollowSymLinks Includes ExecCGI
AllowOverride All
Order allow,deny
Allow from all
Require all granted
</Directory>
After doing this, all my controllers now work fine. It was nothing to do with CI config or .htaccess in the end.
When I moved my working CI webapp from my localhost to a webhosting, I encounter a "duplicating and appending URL" problem.
In my localhost, this works (shows the login page): http://mylocal/someapp/ --> which will redirect to http://mylocal/someapp/index.php/login
However, after migrating to webhosting, trying to access it like this: http://webhosting.com/someapp/, somehow it automatically appends to be
http://webhosting.com/someapp/%20//webhosting.com/someapp/index.php/login
My .htaccess contains nothing (works on localhost)
In config.php,
$config['base_url']= '';
The home controller which will redirect to the login controller (then the login view) looks like this:
class Home extends CI_Controller {
function __construct()
{
parent::__construct();
}
function index()
{
if($this->session->userdata('logged_in'))
{
$session_data = $this->session->userdata('logged_in');
$data['username'] = $session_data['username'];
$this->load->view('home_view', $data);
}
else
{
//If no session, redirect to login page
redirect('login', 'refresh');
}
}
function logout()
{
$this->session->unset_userdata('logged_in');
session_destroy();
redirect('home', 'refresh');
}
}
Or maybe some settings in the webhosting that I need to configure?
Use http:// prefix before base url in $config['base_url'];
e.g.
$config['base_url']=http://localhost/islam;
$config['base_url']= '';
should contain the base url of your website. i think that's the problem.
should be:
$config['base_url']= 'http://yoursite.com/';
Found the answer my self. Turns out that some webhostings are not treating CI refresh properly.
header("Refresh:0;url=...");
instead, it only wants this:
header("Location: ...");
So, I changed url_helper.php (system/helpers/url_helper.php line:543), from
case 'refresh'
to
case 'xxxrefresh'
so that it always skips the header refresh and only use header location.
I don't know if this the proper solution, but it works on my website.
Test your webhosting characteristics before you migrate your CodeIgniter codes from your local machine.
Hope this helps somebody in the future.
I had the same "duplication problem" with a local insallation. Here is my solution: set your base URL in application/config/config.php, for example:
$config['base_url'] = 'http://localhost/ci/';
It is important to add the http:// or https:// prefix to fix the "duplication problem". Of course, the trailing slash is also necessary.