Jump to content

Archived

This topic is now archived and is closed to further replies.

vbnullchar

protect css

Recommended Posts

you can do this:
[code]<link rel="stylesheet" HREF="styles.php" TYPE="text/css">[/code]
-notice the .php extension on the css file.  that file can do anything php can do, including access cookies, access session variables, and access server variables.  About the only thing that will be of use for securing the file from being downloaded is to use $_SESSION['HTTP_REFERER'] to make sure it is called from one of your pages, but this method is imperfect is can be circumvented.

Share this post


Link to post
Share on other sites
If you plan to let browsers to see / use the CSS you can't protect it, no matter what you do.
At [b]least[/b] these people will be able to download it by looking at the source or somehow.

Share this post


Link to post
Share on other sites
Well l might have a solution.  I was browsing threw SMF's source code and l found this which is a pretty cool thing.

[code=php:0]if(basename($_SERVER['PHP_SELF']) == 'css.php')
die(sprintf("You cannot access this file directly!"));[/code]
<br />
I tested it on a file called "test.php" and it worked :)

//Edit: Tested it on a CSS file so luck seeing as you name the CSS file a .php extension it doesn't work.  Well that feature is still cool though.

Any besides why do you not want users to see your CSS?

Share this post


Link to post
Share on other sites
That snippet does *almost* nothing; you will still be able to access it through css.php

Share this post


Link to post
Share on other sites
i tried this one and it seems to be working fine

[code]
<?
if(!isset($_SERVER['HTTP_REFERER'])){
echo 'Access denied!!!';
exit();
}
?>
[/code]

Share this post


Link to post
Share on other sites
[quote]i tried this one and it seems to be working fine[/quote]

That will work fine, unless of course I created a link to your css and followed it.

Share this post


Link to post
Share on other sites
i tested it also like this..

test.php
<?
header('Location:http://localhost.mysite/css/style.php');
?>


style.php
<?
if(!isset($_SERVER['HTTP_REFERER'])){
echo 'Access denied!!!';
exit();
}
?>

Share this post


Link to post
Share on other sites
the referer check can be defeated by calling it through curl and setting the referer manually(faked!).  It's works fine, I've done it before.  Web site 'strippers' that you can get for free use the same technique as well I'm sure.
No matter what you do, you will only be able to protect your css from amateurs, somebody who is expert will always be able to view the file.

Share this post


Link to post
Share on other sites
Found a way which works  :)


mainpage.php

[code]<?php
session_start();
$_SESSION['css']='yes';
?>
<link rel="stylesheet" HREF="styles.php" TYPE="text/css">


<span class="test">weeeeee</span>[/code]

style.php

[code]<?php
session_start();
if ($_SESSION['css']=='yes') {
?>
.test {
font-size: 10px;
color: #000000;
background-color: #95AFE4;
font-family: Arial, Helvetica, sans-serif;
font-weight: bold;
font-style: normal;
}
<?php } ?>[/code]


This seems to work fine and people can't link from another site because that would mean the session is checked on your server not theirs..

I tested this using an else statement after so then i could check it has all gone thru fine..

Regards
Liam

Share this post


Link to post
Share on other sites
ummmm nope! we're using sessions not cookies! sessions are stored on serverside not clientside :)

Liam

Share this post


Link to post
Share on other sites
Yeah (and this might be my lack of understanding) but if a user completely blocks cookies, then sessions are also blocked.
I tested this on my sites by disabling cookies then using sessions etc - seemed to be that way. I believe depending on your settings the SID is appended onto the URL if cookies are blocked - but I dont allow that cos it screws with search engines.

Share this post


Link to post
Share on other sites
Session variables pass a session id cookie back and forth from the browser to the server. That id# is then used to actually look up the session variables stored on the server. If all cookies are blocked then the session id may show up on the urls.  If the session variables are your security system related to logging on, then you don't want that.

Share this post


Link to post
Share on other sites
I think about 99% of people have cookies enabled...

Your only problem with that script is that that session will stay set... So someone can go to one of your pages and then go to your css and itll work fine... try adding $_SESSION['css'] = 'n'; to the end of your css... Wait i just realized something as i was typing this... CSS files are cached... So theyll be cached no matter what... I wonder if headers could be used to not cache it though...

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.