Jump to content

Peter Falkenberg Brown

Members
  • Posts

    347
  • Joined

  • Last visited

  • Days Won

    4

Everything posted by Peter Falkenberg Brown

  1. Dear All, Here's an update on how I've protected the admin login url so that only superusers could login to admin, and the registered users with the role of 'member' could only access my front-end code. If anyone has any comments or corrections, I'd appreciate them. 1. I renamed the admin url to something other than 'admin'. 2. I set the admin template to only HTTPS, so that logins are encrypted. 3. I used Soma's recommendation to set the permissions for the 'member' role to view only. Thus, even if they could log in, they would only see a 'Continue' link, as Soma mentioned. (Thanks, Soma!) 4. After copying the wire/templates-admin files to site/templates-admin, I added these lines to the very top of the default.php file in sites/templates-admin: if ( $user->isLoggedin() && ! $user->isSuperuser() ) { $session->logout(); $session->redirect("/members/", false); } Thus, users who log in, who are not super users, will get logged out, and redirected to /members/. I log them out so that they will not be tempted to just use the admin url to log in and get redirected. Since I haven't yet digested autoload modules, this code seemed easier to me. After I work with modules, etc, I might change my mind. 5. I found some .htaccess code on the web that works with friendly urls (rather than real directories), and it tested correctly, so I added this code to the bottom of the public_html/.htaccess file (with urls / filenames changed to generic names in this post): # set env variable SECURED if current URI is /some_admin_name SetEnvIfNoCase Request_URI "^/some_admin_name" SECURED # invoke basic auth if SECURED is set AuthType Basic AuthName "Page Error" AuthUserFile "/home/some_username/.htpasswd" Require valid-user Satisfy any Order allow,deny Allow from all Deny from env=SECURED Based on all of this, I have multiple layers to keep people out of the admin pages. What do you all think about these security measures and techniques? Edit: By the way, I was going to use this "LocationMatch" code in the Apache virtual host file, but it didn't work. It popped up the password box, but then the browser went into "waiting" mode. I believe it's because the .htaccess file, with the definition of the admin friendly url, was defined *after* the main apache file Location code. I could be wrong. Here's the code I tried: <LocationMatch /some_admin_url> AuthType Basic AuthName "Page Error" AuthUserFile "/home/some_username/.htpasswd" Require valid-user </LocationMatch> Best regards, Peter
  2. Dear Ryan, That's a good idea. I thought of that method too, and probably would have selected it, but I also don't want to have duplicate page titles, in most instances, so I have to check for those in any case. And, since the logic to convert a title to a page name is the same for each record, I'm hoping that it will resolve correctly. I figured it would be easier to create a generic routine that would check any field for duplicate values, if that field is listed in the "no duplicates" array defined in a config file. I think that escaping commas and double quotes should do the trick, but if you think I'm incorrect in that, do let me know. Thanks! Peter
  3. Dear Adrian, and All, I believe it was one of the load balancers. I had two, one for HTTP, and one for HTTPS. Rackspace just told me that the HTTPS load balancer doesn't support cookie based session persistence. When I was logged into the admin, I wasn't using SSL, which is why it worked. After repointing the domain to the server directly, and bypassing the load balancers, the front end app worked. I'm using SSL on the entire app because it's a business app that needs to be secure. So now I have to work with Rackspace to see if I can use a load balancer with SSL and cookie persistence. If I can't... well, there goes the load balancer. It was just an "IP" convenience anyway, since I wasn't load balancing the logged in sessions. Very interesting... one learns more every day, one hopes. Peter
  4. Dear Wanze, Your question stimulated my little grey cells, when I looked at the config file. I'm using two load balancers (one http, one https), and I think it's a session persistence issue with them. I've put in a support ticket to see if they can change the persistence method to be 'cookie based', instead of IP based. I ran into this issue with vBulletin recently. I didn't think the load balancers were an issue, because I'm only using one web node. (I'm using the load balancers to create a stable domain IP in DNS, in case the servers need to be be changed, etc.) I'll also look at your suggestion, too. Thanks!!! Peter
  5. Hi PW Gurus... If anyone can answer this quickly, you'll get a Gold Star. I need to fix this by tomorrow, Monday, so I hope some brilliant genius has an answer. I've copied my PW web app to a new account on a Rackspace cloud server, and I have a very strange issue. When I log in via the backend admin, on the new server, the cookies "wire" and "wire_challenge" get set correctly, and I stay logged in. In my front end PHP / API scripts, I can log in, and have confirmed via a print_r of the session array that all the session variables are getting set. I get to my "member's home page" correctly (with user data displayed correctly), but when I click on a different link, I get a page not found, which is typical behavior for these pages when someone is not logged in. When I click back on the /members/ url, it does indeed show that I'm not logged in. When I examine the cookies, I see the "wire" cookie, but no "wire_challenge" cookie. The code and db are identical between my old "dev" account, and the new production account, except for the db settings in the config file.. (Two different servers.) I copied the public_html dir via tar.gz and did a mysqldump and restore of the database, in order to pull in the user data records (which doesn't happen with the site export.) The old server is running PHP 5.4.19, and the new server is running PHP 5.4.20. I'm using memcache on a second mysql server, but I'm not using SessionDB anyway. I've confirmed that sessions, logs, cache and files, under assets, are set to 777. (My old server used cPanel with suPHP, so I didn't need to make them world writeable.) It's very, very odd that the sessions are getting set in the admin, but not the front end API scripts. Thanks! Peter
  6. Dear Ryan, Thank you for your input. I think the issue that I've run into is that I'm looking for duplicate values in the database, of a page title that is input by the user, where the page title can legally have a variety of characters that the sanitizer function strips out. My primary purpose for this is when I convert the page title to a page name (i.e. url), because I don't want to have duplicate page urls. I'm not allowing the users to type the page urls, in this case. So, someone could type something for the page title that could have all types of characters, including commas, quotes, etc. Once I confirm that the page title doesn't exist, I convert that name to a url. What I ran into specificially was that the get and find search functions choked on a comma in the page title. I think that the sanitizer function would strip out too much data in the above scenario, so I'm wondering if, from the point of view of get() and find(), the characters that would break that search are simply the commas and the double quotes. Thus, I used: $field_value_search = str_replace(',', '\,', $field_value_search); $field_value_search = str_replace('"', '\"', $field_value_search); and then I didn't quote the search string. (But thank you for clarifying the method of escaping the outer quotes!) The page titles would allow double quotes and commas, so I don't want to reject those characters. Am I missing something, or would the above two lines take care of the issue with get() and find(), when searching for duplicates? Thanks again, Peter
  7. Dear Adrian, Thanks! I appreciate the feedback. Best regards, Peter
  8. Hi All, I'm moving my PW web app to a new Rackspace Ubuntu cloud server, and am wondering about the MySQL specs. The newest MySQL Community Edition is 5.6.14. I've built my application under 5.0.96. Has anyone tested PW under 5.6.14? What's the latest version that PW has been tested under? Any thoughts about it? This is a mission-critical app, and I absolutely don't want any surprises from an untested MySQL version. Thanks! Peter
  9. Dear All, The code above that I typed was incorrect, because it read the value of $field_value twice: $field_value_search = str_replace(',', '\,', $field_value); $field_value_search = str_replace('"', '\"', $field_value); I modified it, and this seems to work: $field_value_search = $field_value; $field_value_search = str_replace(',', '\,', $field_value_search); $field_value_search = str_replace('"', '\"', $field_value_search); $check_field_dupe_id = $pages->get( "$field_name=$field_value_search, include=hidden, check_access=0" )->id; I tried using quotes around the internal value, i.e. $field_name="$field_value", but it didn't work (this was with the $field_value not being escaped), and no outside quotes. EDIT: I'm wondering now, with a front-end web app with many, many get() and find() calls that interact with data fields, if it's safer to always escape commas and double quotes, as a habit. I realize that $sanitizer->selectorValue() exists, but as I mentioned above, it seems problematic to me if it replaces certain characters with a space, and truncates at 100 chars. What characters in $sanitizer->selectorValue() get stripped? Is it safe enough to just escape commas and double quotes? I welcome any thoughts on this. Peter
  10. Dear Ryan and All, I'm a wee bit confused about the $sanitizer->selectorValue() issue, versus using handrolled quotes or escapes. I'm also running a routine to check for duplicates, on new pages (looking for account names). So, when a user types an account name with a comma, like "Company, Inc.", the normal get routine breaks, as it did for Matthew. However, the cheat sheet states that the selectorValue sanitizer will replace disallowed characters (which ones?) with spaces, and then will place quotes if necessary, and will then limit the length to 100 characters. That seems potentially harmful or at least inaccurate with some data values, like a company name. Then, on the API page, it states: However... every example I've seen, of selectors, has the double quotes *outside* of the selector string, which is what I have in my example code: $check_field_dupe_id = $pages->get( "$field_name=$field_value, include=hidden, check_access=0" )->id; It would seem that I need to place the quotes around the value, so does that mean I don't need the outside quotes, e.g. $check_field_dupe_id = $pages->get( $field_name="$field_value", include=hidden, check_access=0 )->id; Also, this doesn't take care of potential double quotes in the value, so I'm wondering if the other acceptable way to do it is to manually escape the commas and double quotes? Are they the only two problematic characters in this type of query (after doing a normal text sanitization)? $field_value_search = str_replace(',', '\,', $field_value); $field_value_search = str_replace('"', '\"', $field_value); $check_field_dupe_id = $pages->get( "$field_name=$field_value_search, include=hidden, check_access=0" )->id; Thanks, Peter
  11. Dear Ryan, Thanks for this. I really appreciate it. I'll work on all of your recommendations. Peter
  12. Dear Ryan and All, I noted this statement on the cache settings in the templates: Note that the cache is always disabled for pages where the user has edit access, regardless of what you select here. The site I'm building is behind a "members" login, where everyone who logs in will spend 99% of their time adding and editing data records in a rather complex tree system. Each page is modular, based on the PW method of each page having its own template field set and corresponding template file. Thus, mostly, I'm dealing with small template files that load a variety of other files via php include statements. Most of the loaded files do various checks or operations using code that can be re-used between pages. I haven't counted, but I think most pages will load between 10 and 20 include files, that are mostly code that relies on variables set in the parent page. In the last few days, I've been experiencing a slowdown. I'm not sure if it's my coding, my 1 gig VPS server, or something else. I've looked at the template caching, etc, but my assumption (possibly incorrect) is that because the web app is all focused on adding and editing pages (and displaying them of course), it's not feasible to use template caching. I'm also using a cPanel box with suPHP, and I *think* that opcode caching won't work. ? Does anyone have any recommendations? Of course, I realize that getting a better machine with more RAM will help. One question about a PHP upgrade: this machine uses 5.2.17. If I upgrade to PHP 5.4+, will it break any code in PW? I noted Ryan's post on this page: http://processwire.com/talk/topic/4280-best-server-configuration-for-processwire/ The pages tonight were loading at around 2 seconds without SSL, and around 3+ with SSL. Thanks! Peter
  13. Dear Kongondo, I agree with Antti, that codewise, it's safer to not assume that the ID of the trash will always be 7. And... you asked, Because: $ignorance != $bliss; I just didn't even notice that there little icon. Zowie. I thought that icon meant, "go into HTML mode". One learns something every day, and thus draws closer to coding bliss. Peter
  14. Dear Diogo and Soma, Diogo, this line: $skiptrash = "parent!=7"; doesn't take into account that in the trash, you can have grandchildren records, so the parent might not be /trash/, which is why I used has_parent!=. Although the syntax of has_parent!= seems confusing to me, since has_parent= looks for a specific page in the ancestral tree, whereas != could mean that it has any non-trash parent, rather than the fact that the trash page does not exist. The boolean logic with the wording of 'has_parent!=' is muddy, to me. Soma, your comments above are very helpful, and those are some great ideas. Kind of like Perl: "there's more than one way to do it." At least to me, this discussion has been very helpful because it exactly clarifies the behavior of get() and find() in a way that was not clear to me before. Perhaps a brief note about the behavioral change of get() and find(), when only an id query is passed, could be added to your wonderful Cheat Sheet. Thanks once again! Peter
  15. Dear Soma, That works well, but it converts all pages to https. I just want the /members/ branch converted. If /members/ was a physical subdir, the code above would work in an .htaccess file in that subdir. I find mod_rewrite sort of brain-twisting, which is why I asked. I also wasn't sure how it would interact with PW's rules. Perhaps this segment has to be modified? RewriteRule ^(.*)$ to RewriteRule ^/members/(.*)$ ? Yours, Peter
  16. Dear Ryan and All, What's the best way to set up PW so that any 'page not found' error will simply redirect the user to the home page? In PW, or in the .htaccess file? Yours, Peter
  17. Dear Antti and Soma and All, I created a variable: $skiptrash = "has_parent!=$config->trashPageID"; Then, in my query, I use: $check_page = $pages->get("id=$some_page_id, $skiptrash"); It seems to work, and I'm under the impression that one can use has_parent != ID to say that the page does not have the trash id anywhere in the trash tree. Thus, it's explicitly stating not to check in the trash. Is there a better way to put this into a query, or will this do the trick? I understand Soma's recommendation to check the status of the found page after the query, but I'd like to skip the trash in the query itself. Yours, Peter
  18. Dear Antti, Yes, that makes sense. Well... if an .htaccess wizard reads this post, I'd love to see an .htaccess solution. More speed is good, especially when using SSL. Peter
  19. Dear Antti, I tried your suggestion, and it worked. So, I settled on this code: if ( $page->rootParent->url == "/members/" && ! $config->https ) { $httpsUrl = str_replace("http", "https", $page->httpUrl); $session->redirect($httpsUrl); } elseif ( $page->rootParent->url != "/members/" && $config->https ) { $httpUrl = str_replace("https", "http", $page->httpUrl); $session->redirect($httpUrl); } else { # do nothing } It seems to do exactly what .htaccess mod_rewrite would do, if I'm not mistaken. And because, after the first redirect, the SSL status is active, there aren't redirects on every page load, since the links are relative. It would be academically interesting to see how this would be done in .htaccess, but for now... problem solved! Thank you once again! Brilliant, brilliant. Peter
  20. Dear Antti, I tried that, just now. Yes, that was an extra $ sign. Oops. But... it didn't work, either. If it does work, with the right syntax, I think it's a brilliant idea, by the way. Peter
  21. Dear Antti, I did the above, and added your code to _init.php: if ( $page->rootParent->url == "/members/" ) { $page->template->https = 1; } It didn't work, so I looked at the $template var page on this site, http://processwire.com/api/variables/templates/ and saw this: $template->protocol = 1; but that didn't work either. I also tried this, to no avail: $page->$template->protocol = 1; Perhaps my syntax is wrong? Peter
  22. Dear Kongondo, Ah yes, maybe I remember reading that. It was lurking in a dusty corner of my brain. Hmmm.... I'll have to study that more now. Thanks! If there's an .htaccess rule that would do the same thing, I wouldn't mind some .htaccess wizard letting me know. Mod_rewrite is something of a black art. Peter
  23. Dear Antti, That's an interesting idea. I've not used the autoload module yet. With the default install of PW, could you tell me exactly where you would insert that code, and in which file? The other option is to find a way to do that in .htaccess. Your method above might be less complicated. Thanks! Peter
  24. Dear All, I'm familiar with the ProcessWire handy dandy function of checking "HTTPS only" in a template to force pages with that template to use SSL. My testing showed, however, that pages *under* the SSL page, that use other templates, don't inherit that behavior. I have a lot of templates, for a very large web app, so I don't want to have to check off that box in all of them. I could, of course, but I'm wondering if an .htaccess method would be easier. I've created a "/members/" page and want all sub-pages to redirect to SSL. I've used the code below, in an .htaccess file, but I've not used it when the page url is not a physical directory, but is instead a dynamic url. RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} I also don't know how the above two lines will interact with all the other PW directives in the .htaccess file. Tips would be appreciated. Thanks, Peter
×
×
  • Create New...