protect css

[vbnullchar]

how can i protect my css file from being downloaded using php

[shocker-z]

your looking at htaccess not PHP

Regards
Liam

[mainewoods]

you can do this:
[code]<link rel="stylesheet" HREF="styles.php" TYPE="text/css">[/code]
-notice the .php extension on the css file.  that file can do anything php can do, including access cookies, access session variables, and access server variables.  About the only thing that will be of use for securing the file from being downloaded is to use $_SESSION['HTTP_REFERER'] to make sure it is called from one of your pages, but this method is imperfect is can be circumvented.

[vbnullchar]

got it thanks mainewoods

[Ninjakreborn]

without the capitol href and type, it doesn't validate

[poirot]

If you plan to let browsers to see / use the CSS you can't protect it, no matter what you do.
At [b]least[/b] these people will be able to download it by looking at the source or somehow.

[dual_alliance]

Well l might have a solution.  I was browsing threw SMF's source code and l found this which is a pretty cool thing.

[code=php:0]if(basename($_SERVER['PHP_SELF']) == 'css.php')
die(sprintf("You cannot access this file directly!"));[/code]
<br />
I tested it on a file called "test.php" and it worked :)

//Edit: Tested it on a CSS file so luck seeing as you name the CSS file a .php extension it doesn't work.  Well that feature is still cool though.

Any besides why do you not want users to see your CSS?

[poirot]

That snippet does *almost* nothing; you will still be able to access it through css.php

[dual_alliance]

Not if you put that "snippet" on CSS.php.

[vbnullchar]

i tried this one and it seems to be working fine

[code]
<?
if(!isset($_SERVER['HTTP_REFERER'])){
echo 'Access denied!!!';
exit();
}
?>
[/code]

[trq]

[quote]i tried this one and it seems to be working fine[/quote]

That will work fine, unless of course I created a link to your css and followed it.

[vbnullchar]

i tested it also like this..

test.php
<?
header('Location:http://localhost.mysite/css/style.php');
?>


style.php
<?
if(!isset($_SERVER['HTTP_REFERER'])){
echo 'Access denied!!!';
exit();
}
?>

[mainewoods]

the referer check can be defeated by calling it through curl and setting the referer manually(faked!).  It's works fine, I've done it before.  Web site 'strippers' that you can get for free use the same technique as well I'm sure.
No matter what you do, you will only be able to protect your css from amateurs, somebody who is expert will always be able to view the file.

[shocker-z]

Found a way which works  :)


mainpage.php

[code]<?php
session_start();
$_SESSION['css']='yes';
?>
<link rel="stylesheet" HREF="styles.php" TYPE="text/css">


<span class="test">weeeeee</span>[/code]

style.php

[code]<?php
session_start();
if ($_SESSION['css']=='yes') {
?>
.test {
font-size: 10px;
color: #000000;
background-color: #95AFE4;
font-family: Arial, Helvetica, sans-serif;
font-weight: bold;
font-style: normal;
}
<?php } ?>[/code]


This seems to work fine and people can't link from another site because that would mean the session is checked on your server not theirs..

I tested this using an else statement after so then i could check it has all gone thru fine..

Regards
Liam

[markt]

Your screwed though if people block cookies arnt you?

[shocker-z]

ummmm nope! we're using sessions not cookies! sessions are stored on serverside not clientside :)

Liam

[markt]

Yeah (and this might be my lack of understanding) but if a user completely blocks cookies, then sessions are also blocked.
I tested this on my sites by disabling cookies then using sessions etc - seemed to be that way. I believe depending on your settings the SID is appended onto the URL if cookies are blocked - but I dont allow that cos it screws with search engines.

[mainewoods]

Session variables pass a session id cookie back and forth from the browser to the server. That id# is then used to actually look up the session variables stored on the server. If all cookies are blocked then the session id may show up on the urls.  If the session variables are your security system related to logging on, then you don't want that.

[corbin]

I think about 99% of people have cookies enabled...

Your only problem with that script is that that session will stay set... So someone can go to one of your pages and then go to your css and itll work fine... try adding $_SESSION['css'] = 'n'; to the end of your css... Wait i just realized something as i was typing this... CSS files are cached... So theyll be cached no matter what... I wonder if headers could be used to not cache it though...