0

I am on a apache server and I want to hide assets from people who are not logged in. My login logic/cookies are in php, so it's easy to redirect if the login cookie doesn't exist. But how do I restrict access of other assets like css/js/images? For example on my site example.com/user/foo.php is behind a login wall. But the foo.php also loads the example.com/js/user/foo.js. Now anyone who knows the file location can see the contents of the js file. But I want to restrict it so that the user must be required to login to load the js/css files. Mainly js because it can have sensitive data or expose some internal api calls etc.

Improve this question
10
  • 5
    The real solution here is not putting sensitive data in your JS files. Commented Sep 18, 2013 at 14:51
  • One option is to load the Javascript/CSS manually into <style> and <script> segments of your HTML directly by PHP. Not that this would be easy or the best way to solve the issue. Commented Sep 18, 2013 at 14:51
  • The real solution here is not outputting any scripts or CSS in pre-login pages... is this a real question? Commented Sep 18, 2013 at 14:52
  • Check this post: http://www.ducea.com/2006/07/21/apache-tips-tricks-deny-access-to-certain-file-types/ Commented Sep 18, 2013 at 14:52
  • 1
    If your JS files contain sensitive data then you're already in trouble. And your API calls should be protected from being called by non-logged in users anyway, so you shouldn't need to worry about them either. Commented Sep 18, 2013 at 14:52

1 Answer 1

Reset to default
4

it's easy to redirect if the login cookie doesn't exist

That's hardly an effective solution.

While I would question whether there's actually any benefit in doing this, the simplest solutions would be to:

  • use mod_rewrite to route all requests for static content via a PHP script which can verify that session is authenticated (which will be very slow and requires reimplementation of caching in the controller)

  • use mod_auth_memcookie to control acces to the files at the webserver tier.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

My logic uses the session variable. I think it's safe enough. I just want to block a possible weakness that may or may not exist. My js has no inherently sensitive data, but it may help some attacker in better understanding my internal requests. This is not the main wall, it's just a small fence in front of the wall. How do other websites do this? Is it possible to access the js files facebook uses on logged in pages without login?
I think it's safe enough - then either you are wasting your time implementing this or you don't understand the problem. Is it possible to access the js files facebook uses - don't you know how to check this yourself?
My question wasn't about the safety of my implementation of the login logic. It goes off topic from here but can you tell me how can I improve it? I am currently storing the logged in user's id in a php session variable. How can I improve it?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.