Jump to content


Photo

protect css


  • Please log in to reply
18 replies to this topic

#1 vbnullchar

vbnullchar
  • Members
  • PipPipPip
  • Advanced Member
  • 428 posts
  • LocationPasig City, Philippines

Posted 10 August 2006 - 11:28 AM

how can i protect my css file from being downloaded using php
Registered Linux User #399942
Ubuntu User #14134
--
my blog

#2 shocker-z

shocker-z
  • Members
  • PipPipPip
  • Advanced Member
  • 864 posts
  • LocationNottingham

Posted 10 August 2006 - 11:55 AM

your looking at htaccess not PHP

Regards
Liam
www: www.ukchat.ws | irc: irc.ukchat.ws chan: #blufudge

#3 mainewoods

mainewoods
  • Members
  • PipPipPip
  • Advanced Member
  • 685 posts
  • LocationMaine

Posted 10 August 2006 - 01:47 PM

you can do this:
<link rel="stylesheet" HREF="styles.php" TYPE="text/css">
-notice the .php extension on the css file.  that file can do anything php can do, including access cookies, access session variables, and access server variables.  About the only thing that will be of use for securing the file from being downloaded is to use $_SESSION['HTTP_REFERER'] to make sure it is called from one of your pages, but this method is imperfect is can be circumvented.

#4 vbnullchar

vbnullchar
  • Members
  • PipPipPip
  • Advanced Member
  • 428 posts
  • LocationPasig City, Philippines

Posted 10 August 2006 - 06:51 PM

got it thanks mainewoods
Registered Linux User #399942
Ubuntu User #14134
--
my blog

#5 Ninjakreborn

Ninjakreborn
  • Members
  • PipPipPip
  • Information Technology Specialist
  • 3,922 posts
  • Age:33

Posted 10 August 2006 - 09:30 PM

without the capitol href and type, it doesn't validate

------

Business Website: http://www.infotechnologist.biz

Personal Website: http://www.joyelpuryear.com

Blog Site: http://www.realmofwriting.com
Services: Web development, application development, mobile development, and custom development. All services listed on my website.


#6 poirot

poirot
  • Members
  • PipPipPip
  • Advanced Member
  • 646 posts
  • LocationAustin, TX

Posted 10 August 2006 - 09:35 PM

If you plan to let browsers to see / use the CSS you can't protect it, no matter what you do.
At least these people will be able to download it by looking at the source or somehow.
~ D Kuang

#7 dual_alliance

dual_alliance
  • Members
  • PipPipPip
  • Advanced Member
  • 140 posts
  • LocationNSW, Australia

Posted 10 August 2006 - 09:55 PM

Well l might have a solution.  I was browsing threw SMF's source code and l found this which is a pretty cool thing.

if(basename($_SERVER['PHP_SELF']) == 'css.php')
	die(sprintf("You cannot access this file directly!"));
<br />
I tested it on a file called "test.php" and it worked :)

//Edit: Tested it on a CSS file so luck seeing as you name the CSS file a .php extension it doesn't work.  Well that feature is still cool though.

Any besides why do you not want users to see your CSS?


#8 poirot

poirot
  • Members
  • PipPipPip
  • Advanced Member
  • 646 posts
  • LocationAustin, TX

Posted 10 August 2006 - 10:02 PM

That snippet does *almost* nothing; you will still be able to access it through css.php
~ D Kuang

#9 dual_alliance

dual_alliance
  • Members
  • PipPipPip
  • Advanced Member
  • 140 posts
  • LocationNSW, Australia

Posted 10 August 2006 - 10:14 PM

Not if you put that "snippet" on CSS.php.

#10 vbnullchar

vbnullchar
  • Members
  • PipPipPip
  • Advanced Member
  • 428 posts
  • LocationPasig City, Philippines

Posted 10 August 2006 - 10:35 PM

i tried this one and it seems to be working fine

<?
	if(!isset($_SERVER['HTTP_REFERER'])){
		echo 'Access denied!!!';
		exit();
	}
?>

Registered Linux User #399942
Ubuntu User #14134
--
my blog

#11 trq

trq
  • Staff Alumni
  • Advanced Member
  • 31,041 posts

Posted 10 August 2006 - 10:39 PM

i tried this one and it seems to be working fine


That will work fine, unless of course I created a link to your css and followed it.

#12 vbnullchar

vbnullchar
  • Members
  • PipPipPip
  • Advanced Member
  • 428 posts
  • LocationPasig City, Philippines

Posted 10 August 2006 - 11:13 PM

i tested it also like this..

test.php
<?
header('Location:http://localhost.mysite/css/style.php');
?>


style.php
<?
if(!isset($_SERVER['HTTP_REFERER'])){
echo 'Access denied!!!';
exit();
}
?>
Registered Linux User #399942
Ubuntu User #14134
--
my blog

#13 mainewoods

mainewoods
  • Members
  • PipPipPip
  • Advanced Member
  • 685 posts
  • LocationMaine

Posted 11 August 2006 - 12:18 AM

the referer check can be defeated by calling it through curl and setting the referer manually(faked!).  It's works fine, I've done it before.  Web site 'strippers' that you can get for free use the same technique as well I'm sure.
No matter what you do, you will only be able to protect your css from amateurs, somebody who is expert will always be able to view the file.

#14 shocker-z

shocker-z
  • Members
  • PipPipPip
  • Advanced Member
  • 864 posts
  • LocationNottingham

Posted 11 August 2006 - 11:10 AM

Found a way which works  :)


mainpage.php

<?php
session_start();
$_SESSION['css']='yes';
?>
<link rel="stylesheet" HREF="styles.php" TYPE="text/css">


<span class="test">weeeeee</span>

style.php

<?php
session_start();
if ($_SESSION['css']=='yes') {
?>
.test {
	font-size: 10px;
	color: #000000;
	background-color: #95AFE4;
	font-family: Arial, Helvetica, sans-serif;
	font-weight: bold;
	font-style: normal;
}
<?php } ?>


This seems to work fine and people can't link from another site because that would mean the session is checked on your server not theirs..

I tested this using an else statement after so then i could check it has all gone thru fine..

Regards
Liam
www: www.ukchat.ws | irc: irc.ukchat.ws chan: #blufudge

#15 markt

markt
  • New Members
  • Pip
  • Newbie
  • 7 posts

Posted 11 August 2006 - 11:29 AM

Your screwed though if people block cookies arnt you?

#16 shocker-z

shocker-z
  • Members
  • PipPipPip
  • Advanced Member
  • 864 posts
  • LocationNottingham

Posted 11 August 2006 - 11:51 AM

ummmm nope! we're using sessions not cookies! sessions are stored on serverside not clientside :)

Liam
www: www.ukchat.ws | irc: irc.ukchat.ws chan: #blufudge

#17 markt

markt
  • New Members
  • Pip
  • Newbie
  • 7 posts

Posted 11 August 2006 - 04:12 PM

Yeah (and this might be my lack of understanding) but if a user completely blocks cookies, then sessions are also blocked.
I tested this on my sites by disabling cookies then using sessions etc - seemed to be that way. I believe depending on your settings the SID is appended onto the URL if cookies are blocked - but I dont allow that cos it screws with search engines.

#18 mainewoods

mainewoods
  • Members
  • PipPipPip
  • Advanced Member
  • 685 posts
  • LocationMaine

Posted 12 August 2006 - 12:20 AM

Session variables pass a session id cookie back and forth from the browser to the server. That id# is then used to actually look up the session variables stored on the server. If all cookies are blocked then the session id may show up on the urls.  If the session variables are your security system related to logging on, then you don't want that.

#19 corbin

corbin
  • Staff Alumni
  • Advanced Member
  • 8,129 posts

Posted 12 August 2006 - 01:10 AM

I think about 99% of people have cookies enabled...

Your only problem with that script is that that session will stay set... So someone can go to one of your pages and then go to your css and itll work fine... try adding $_SESSION['css'] = 'n'; to the end of your css... Wait i just realized something as i was typing this... CSS files are cached... So theyll be cached no matter what... I wonder if headers could be used to not cache it though...
Why doesn't anyone ever say hi, hey, or whad up world?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users