Aug 12, 2000, 8:18 AM
Post #1 of 1
Hello. All comments on the security of the following system would be greatly appreciated. In particular, could .htaccess be avoided using FTP or something?
getting past .htaccess
(As far as I know only the user (me) has FTP and telnet access to the server, but if anonymous FTP was allowed would .htaccess eb useless against it?)
I have protected a directory on my site using .htaccess.
The index page of the main site has a login form. On submission the password is crypt()ed and if the username/password pair has a match in my passwords file (kept in the .htaccess directory) then a cookie is set with a random number in it (13 digits). The same random number is written into a session file for the user inside the .htaccess directory.
Another script will, if the value of the cookie matches that in the session file, read the contents of a file in the protected directory and send it out to the browser.
The file reading script will only accept letters, numbers, the underscore, a single slash, and a single dot as characters for a valid path, and the script constructs an absolute path to the file.