如何保护管理文件夹php [英] How to secure admin folder php

问题描述

我正在寻找一种方法来保护管理区域，尤其是文件夹本身的安全(包括带有图像和 css 的文件夹).我已经阅读了很多建议，但他们都觉得是一种妥协或解决方法而不是防弹方法，或者我不明白哪种方法最有利于安全和对外界隐藏，我想成为唯一知道它的人或访问它.希望有人能够阐明他们将使用什么，当他们希望该区域完全隐藏在外部世界之外，同时仍可供您访问时.

我遇到的一些方法涉及:

1. 将文件夹移到根目录之外
2. 使用 Htaccess 拒绝所有.(也意味着我无法登录，除非我应用了我没有的静态 IP 地址)
3. 我想到的另一种方法是使用会话变量来存储管理员，根据会话 ID 识别和授予访问权限.(这确实意味着可以查看所有其他 css 文件和图像文件夹).
4. 在文件夹中添加索引页面，我看到很多网站都这样做.

我目前有我的登录脚本将我重定向到我的管理区域，所以如果登录的管理 php 文件正在请求它，那么整个文件夹是否可以识别我并授予访问权限并提供文件?，如果没有拒绝访问，包括图像和 CSS 等?

不知道如何最好地保护这个区域?使用会话是识别管理员的安全方式吗?

解决方案

确保内容不会暴露在网络上的最简单方法是将其放在目录结构中的站点文件夹上方.

例如在您的 Apache 配置中将站点挂载在

/var/www/sites/site/content/

并将受限内容放在

/var/www/sites/site/

这样内容就不会被暴露，但如果需要，php仍然可以读取它.

显然，如果 php 读取并回显它们，这不会阻止用户查看您的 css 文件中的内容，但我不明白为什么 css 文件需要安全

编辑

假设您的服务器上有一个文件夹位于 /var/www/sites/site/content/some_folder

然后您在浏览器中输入 www.yoursite.com/some_folder，假设您在站点中打开了索引，您将在 some_folder 中看到文件列表>

但是如何从网络浏览器访问 /var/www/sites/site/ ?...你不能！！

但是你可以做的是这样的事情:

这将是主站点文件夹中的一个 php 文件(对公众可见)

I am looking to find a way I can secure admin area, especially the folder itself from outside access (These include folders with images and css). I have read a lot of suggestions but they all feel rather a compromise or work around than a bullet proof method or I am not understanding which is best for security and hidden from outside world, I want to be the only one that knows about it or access it. Hoping someone can shed some light what they would use, when they want the area completely hidden from outside world, whilst still accessible to you.

Some of the methods I have come across involve:

1. Moving folder outside of root
2. Using Htaccess Deny all. (also means I can't login unless I apply a static IP address which I do not have)
3. Another way I thought of could be to use session variable to store admin, recognize and grant access based on session ID. (This does mean all other css files and image folders are viewable).
4. Adding an index page in the folder which I see alot of sites do.

I currently have my login script to redirect me to my admin area, so is there anyway for the whole folder to recognize it's me and grant access and serve files on if a logged in admin php file is requesting it?, if not to decline access including images and css etc?

Can't figure out how best to protect this area? Is using session a secure way of identifying an admin?

解决方案

The easiest way to ensure content is not exposed to the web is to place it above the site folder in your directory structure.

so for example in your Apache configuration mount the site at

/var/www/sites/site/content/

and place the restricted content at

/var/www/sites/site/

that way the content will not be exposed but php can still read it if required.

Obviously this will not stop users from seeing what is in your css files if php reads them and echoes them out but I dont see why a css file should need to be secure

Edit

Supposing you have a folder on your server at /var/www/sites/site/content/some_folder

and you enter www.yoursite.com/some_folder into a browser, assuming you have indexes open in your site you will see a list of files in some_folder

But how can you get to /var/www/sites/site/ from a web brower ? ... you can't!!

but what you can do is some thing like this:

And this would be a php file inside the main site folder (visible to public)

<?php

session_start();
if(isset($_SESSION['admin_logged_in'])){
   include '/var/www/sites/site/secret_content.php';
}

这篇关于如何保护管理文件夹php的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！