Custom Error Page, will not display graphics.

lestat · - Joined: 15 Sep 2003 Posts: 130 Location: GREEN BAY

I made a custom 401 error page with the /Error/401.php added to the custom error page area.

.gif and .jpg don't seem to display.

My URL and temporary login is:

http://vlprmt.no-ip.com
Login: test
Pass: foooo

Thanks for any help.[/url]

TRUSTAbyss · - Joined: 29 Oct 2003 Posts: 3752 Location: USA, GA

Are you linking to the Images correctly
I checked a image and it wasn't found !

lestat · - Joined: 15 Sep 2003 Posts: 130 Location: GREEN BAY

Um, how are you able to check an image on my server? If you can, does that mean anybody can? Am I insecure hehe.

(I will check my code out, thx for peeking)

iNaNimAtE · Posted: Thu May 13, 2004 3:23 am Post subject:

Ok: Here's your problem:

What you're trying to do is paradoxical. Look at what happens:
Everything under / is password protected. When a user does not enter the correct username and password, they get sent to a 401 page which is trying to access images inside the password protected realm. The paradox is, the images are being displayed for someone who is not authorized to access inside /, and therefore is not able to access the images which are placed inside this password protected realm.
How I know this: I checked the URL of the images, pasted it in the browser, and it prompted for a password. Then I took that same exact URL, and pasted it in the browser after I had already entered the correct credentials, and the image displayed.
_________________
Bienvenidos!

lestat · - Joined: 15 Sep 2003 Posts: 130 Location: GREEN BAY

Ahh, makes sense. I actually understand :-)

1) What would you recommend for bypassing this without compromising security?

2) Using the method that you checked with, is it possible for anyone to 'sneak in' and mess with my page, or view data?

Thanks!

iNaNimAtE · Posted: Fri May 14, 2004 12:41 am Post subject:

Here's what I suggest. In your /htdocs folder, make another folder called /html and put your entire website out there. Second, password-protect the /html directory and NOT the root directory (/). Third, put your custom Error 401 page and all its images outside the /html directory in the /htdocs directory, and set up the Custom Error Pages in the console appropriately. Fourth, make your index.html page in /htdocs to redirect to /htdocs/html/index.html (or whatever) using the script at the bottom.

Recap:
/htdocs should have the index.html and the error401.html with all its images.
/htdocs/html should have your entire website.
/htdocs/index.html will redirect to /htdocs/html.

The script:

lestat · - Joined: 15 Sep 2003 Posts: 130 Location: GREEN BAY

OK I get it. Matter of fact, I like the layout for security too!

However, the redirect, still pushes through into /html/index with the 401 error and of course, the images do not show.

If I go direct to the 401 error it will show.

http://vlprmt.no-ip.com:81/error401.php

How do I stop the redirect in the event of wrong password?

iNaNimAtE · Posted: Sat May 15, 2004 8:19 am Post subject:

Down for me.

12:00AM -0800 (PST)

Ok, so I was up sort of late...
_________________
Bienvenidos!

TRUSTAbyss · - Joined: 29 Oct 2003 Posts: 3752 Location: USA, GA

I noticed that your images point to /html where your password
protected area is , if they get a failed attemp then the images
won't show either because their also a failed attempt because
the server rejected the login and the images are in the login area
, if you create a non login area for the images like /images than
the images will probably load on a failed request

Do this , put all Forbidden images in a new
folder called /images and then redirect to
the password protected area /html !