Jump to content

protect css


vbnullchar

Recommended Posts

you can do this:
[code]<link rel="stylesheet" HREF="styles.php" TYPE="text/css">[/code]
-notice the .php extension on the css file.  that file can do anything php can do, including access cookies, access session variables, and access server variables.  About the only thing that will be of use for securing the file from being downloaded is to use $_SESSION['HTTP_REFERER'] to make sure it is called from one of your pages, but this method is imperfect is can be circumvented.
Link to comment
Share on other sites

Well l might have a solution.  I was browsing threw SMF's source code and l found this which is a pretty cool thing.

[code=php:0]if(basename($_SERVER['PHP_SELF']) == 'css.php')
die(sprintf("You cannot access this file directly!"));[/code]
<br />
I tested it on a file called "test.php" and it worked :)

//Edit: Tested it on a CSS file so luck seeing as you name the CSS file a .php extension it doesn't work.  Well that feature is still cool though.

Any besides why do you not want users to see your CSS?
Link to comment
Share on other sites

the referer check can be defeated by calling it through curl and setting the referer manually(faked!).  It's works fine, I've done it before.  Web site 'strippers' that you can get for free use the same technique as well I'm sure.
No matter what you do, you will only be able to protect your css from amateurs, somebody who is expert will always be able to view the file.
Link to comment
Share on other sites

Found a way which works  :)


mainpage.php

[code]<?php
session_start();
$_SESSION['css']='yes';
?>
<link rel="stylesheet" HREF="styles.php" TYPE="text/css">


<span class="test">weeeeee</span>[/code]

style.php

[code]<?php
session_start();
if ($_SESSION['css']=='yes') {
?>
.test {
font-size: 10px;
color: #000000;
background-color: #95AFE4;
font-family: Arial, Helvetica, sans-serif;
font-weight: bold;
font-style: normal;
}
<?php } ?>[/code]


This seems to work fine and people can't link from another site because that would mean the session is checked on your server not theirs..

I tested this using an else statement after so then i could check it has all gone thru fine..

Regards
Liam
Link to comment
Share on other sites

Yeah (and this might be my lack of understanding) but if a user completely blocks cookies, then sessions are also blocked.
I tested this on my sites by disabling cookies then using sessions etc - seemed to be that way. I believe depending on your settings the SID is appended onto the URL if cookies are blocked - but I dont allow that cos it screws with search engines.
Link to comment
Share on other sites

Session variables pass a session id cookie back and forth from the browser to the server. That id# is then used to actually look up the session variables stored on the server. If all cookies are blocked then the session id may show up on the urls.  If the session variables are your security system related to logging on, then you don't want that.
Link to comment
Share on other sites

I think about 99% of people have cookies enabled...

Your only problem with that script is that that session will stay set... So someone can go to one of your pages and then go to your css and itll work fine... try adding $_SESSION['css'] = 'n'; to the end of your css... Wait i just realized something as i was typing this... CSS files are cached... So theyll be cached no matter what... I wonder if headers could be used to not cache it though...
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.