Re: amber-developers: yet closer for AmberTools

From: FyD <>
Date: Tue, 01 Apr 2008 13:09:49 +0200

Quoting "David A. Case" <>:

> If someone out there understands web "security", I'd like to know:
> 1. how to hide the name of the script that runs once the "submit" button
> is pushed.

1) Intead of hidding a page, you could use a php session: You start a
php session in the first page, and destroy it in the last page. Thus,
users cannot take shortcuts directly using intermediate pages (even if
the corresponding links are known): these intermediate pages can only
be opened if the registration process starts at the first page.

                 Intermediate pages
Login-page.php --> ... ---> ... ---> Final page
session_start session_destroy

php code:
<? <?
session_start(); session_destroy();
session_destroy(); ?>

Example: We did that in R.E.DD.B.:
upload-log.php -> upload1.php -> ... -> lastpage.php
session_start session_destroy

If a user tries to reach:, it will obviously work.

However, if the user tries to directly reach:
he will be re-directed to an error page because he is trying the use a
forbidden short-cut.


2) You could also use a ".htpasswd" in the directory that countains
the ambertools10.tgz file to protect this directory.
This .htpasswd contains the IP addresses of the machines authorized to
get the .tgz file. You could record each "selected" IP address when
the user register for instance.

Here is a .htpasswd file used to protect a directory:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName AccesRestreint
AuthType Basic
<limit GET>
order deny,allow
deny from all
allow from IP_address-1
allow from IP_address-2
ErrorDocument 403 /REDDB/error-protection.php
ErrorDocument 404 ...
ErrorDocument 500 ... etc...

I am not sure this corresponds to what you asked...

regards, Francois
Received on Fri Apr 18 2008 - 21:15:50 PDT
Custom Search