Welcome to the Treehouse Community
Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.
Looking to learn something new?
Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.
Start your free trial
Ryan Hellerud
3,635 Pointshow can i add a security layer?
At the moment, I have a site involving javascript to hide front end elements which as I found out, can be over-ridden with out a ton of effort. However, I am interested if there is a way to add some server side code or something else, to make it much more difficult to gain access to some files that should not be accessible.
Right now, there are two sites, with different urls both pointing to the same server, because it is much easier to maintain the one site than two separate. Right now, the secure site is protected with a password, and there is access to all of the answer keys for the teachers ect.
currently, I am using javascript to simply hide certain elements on the student site, but that may not be the best way to go, as its hackable. So I'm wondering if anyone has any ideas for added securtity besides the javascript im using to hide the elements. The two sites are teacher: http://op.emsofl.com/ and the student with the hidden answer tabs http://ops.emsofl.com/ . Should i use more complex js, php or any other ideas so that kids can hack the answer keys? I don't think there are many out there than could, but i don't wanna take the chance of a few doing it.
current js securty code:
$("dd").each(function(){ var a = $(this).find("a");
if(a.text() == 'Study Sheets Answer Keys' || a.text() == 'Graded Assignment Answer Keys' || a.text() == 'Lab Answer Keys') $(this).hide();});
would there be a way to use php for example or something similar to do restrict elements based on what domain they come from, so i could still have everything centralized on one server but control the access more securely?
3 Answers
Kevin Korte
28,149 PointsI would definitely look at a server side solution for this. A server side solution could not be undone like a JS solution would, since it you would restrict what content actually even makes it to the user's browser, vs sending everything, and hiding it with JS like you are now.
The direction I would be tempted to go would be to use $_SERVER['SERVER_NAME'] and probably save it as a variable.
That should let you know if the user is using the student or teacher URL
Than simply use conditionals.
Where you need to restrict the information, you wrap that in a conditional that checks if the result of the Server Name is the the student or teacher URL, and that have it output the code as appropriate.
It's still not 100% spoof proof, but it's a lot more secure than using JS, and quite frankly if someone can figure out how to still fake the URL, and thus get what they want, than I'd be pretty impressed.
Ryan Hellerud
3,635 PointsThanks I see your idea. the only problem is there is a TON of code I would have to refactor... I'm actually working with the web administrator to see if we can do any restrictions on the back end or .htaccess file.
Kevin Korte
28,149 PointsSounds good. I am assuming you are using Apache on the server, so if that's the case, look at the possibilities of using the Location Directive.
http://httpd.apache.org/docs/2.2/mod/core.html#location
I hate trying to write htaccess code, so I'm not of much help here past that.
Ryan Hellerud
3,635 Pointsi think its an IIS server im not sure if its apache. I used the chrome plug in and it detected IIS, on asp.net but I'm not even using asp.net so I dont know.
Kevin Korte
28,149 PointsYeah, according to builtwith.com, it's an IIS server with asp.net and PHP. Usually IIS and asp.net go hand in hand, and I know nothing about either. I don't understand where PHP comes into play there, so everything we talked about might be of no help to you. IIS does not use htaccess files, but they probably have something similar. A quick google search turned up a webconfig file.
Your web admin should be able to advise you best at this point. The only problem with any JS solution is that JS is client side, which makes it easy to get around. It's also why JS validation is not reliable for form submission. The only way to really lock out or sanitize something is server side.
Ryan Hellerud
3,635 Pointsyup, so i've emailed him and will see what he says. I'm using some minor php for the header and a few things nothing major.
Ryan Hellerud
3,635 Pointsfor exmaple, could I do something like, based on the url, the server restricts access to folders with the text 'key' or 'ak' in it. Because all the answer keys are stored in folders with the word 'key' or 'ak' some where in the folder name basically.
Kevin Korte
28,149 PointsNot, really, not in the way you were thinking. For PHP to restrict access to files or folders, you do that in the .htaccess file, which, truth be told I not any good at writing in this file.
I'm also not completely sure you can pass variables and and conditionals to a .htaccess file.
What I meant is refactoring your code. Basically, depending on whether the user is browsing from op.emsofl or ops.emsofl we give them different sets of code, from the same single file.
Here is a rough example.
Basically grab the URL name in a variable, and than check with it.
<?php
//set up our constants
define( "TEACHER", "op.emsofl.com");
define("STUDENT", "ops.emsofl.com");
$site = $_SERVER['SERVER_NAME'];
//$site should now hold either op.emsofl.com or ops.emsofl.com depending on user access
?>
So now we can mix our PHP and our HTML. I stole some of your HTML to show you what I meant.
<dl class="tabs" data-tab="">
<dd class="active"><a href="#p15a">Study Sheets</a></dd>
<?php if( $site == TEACHER) { ?>
<dd><a href="#p15b">Study Sheets Answer Keys</a></dd>
<?php } ?>
<dd><a href="#p15c">Graded Assignments</a></dd>
<?php if( $site != STUDENT) { ?>
<dd><a href="#p15d">Graded Assignment Answer Keys</a></dd>
<?php } ?>
</dl>
So what happens here is when your server generates all of the assets to build the HTML for the user, the students are going to get two items, they will get Study Sheets and Graded Assignments. The teachers would get all 4. This is because the if statement fails when viewed from the student URL, and so the server skips everything inside the failed if statement. There is nothing to hide here, because it never gets sent to the clients computer. Much more secure.
FYI I also wrote each if statement two different ways. The first one checks if site URL is equal to the teacher URL, and the second one check if the site URL is not equal to the student URL, which we than could assume the user is on the teacher URL. I'd probably just use the first if statement for all the checks, but the more you know the better.
In all fairness, this code is completely untested, and so I may have a small error here or there that needs to be addressed.
Ryan Hellerud
3,635 PointsRyan Hellerud
3,635 Pointsyes this is definitely something i am interested in because that would be much harder than currently. Do you have any idea how I could implement it because I am really pretty new to php and dont even know where to start to do this really.
for example, could I do something like, based on the url, the server restricts access to folders with the text 'key' or 'ak' in it. Because all the answer keys are stored in folders with the word 'key' or 'ak' some where in the folder name basically.
Thank you!!