Making webpage 100% private if not logged in

Question

i few weeks ago i wanted to create an app because i came up with a good idea now , firstly i want to implement it on webpage and , there are several ways how to create a webpage well.

The first possible way is to create it locally and set up a server. Then you can install MySQL there PHP etc... you can basicaly develope it while being OFFLINE.

The second way is to find a good hosting and start creating the webpage on hosting , usually all those hosting services have php mysql and all this stuff preinstalled so you can start in a second

i dont want anyone to see what i do before i release it , i also dont anyone to see it and maybe steal or create the same thing as i am doing

The first way of creating webpages is probably safer because you dont share all the source codes with anyone else but , if i want to use the way of doing it using Hosting , how can i make sure that noone can break into that? To be more exact:

i wrote onto the beggining of every php file that if the !isset($_SESSION['user']) doesn't exist then header(location: index.php) , now you probably ask me why? because i created a login form in which you have to login , now registration doesn't work so i just created an account right in the database so is THIS safe? my goal is that noone can access the phpfiles i have written without logging in , even thought they are on hosting , without logging you shouldnot be able to open them , only the index.php which contains something like : Hello , please login to continue , is this way safe ? is it that much safe so i can for example write my card cerdentials on that php page? cant someone just simulate a SESSION without really logging in? and open those webpages even thought there is a condition if session name is not set then redirect index.php ? thanks , what are the risks ? should i swap to local development?

Answer 1

You should really develop it locally instead of going out of your way to secure an online page that you clearly don't want anybody to see.

It's much easier to learn about local web development than to implement harsh security measures for an online page.

I can personally recommend MAMP.

Answer 2

Developing the software on the host where it is going to live can be helpful and save you the trouble of figuring out how to create the hosting yourself.

Most hosts use Apache for the web server, and so I would recommend just adding some directives to Apache's .htaccess files.

The most simple is to add deny rules and block by IP:

deny from all
allow from 123.123.123.123

Another option is to require a login. Here's an article on doing that: https://wiki.apache.org/httpd/PasswordBasicAuth

If your host has cPanel, and many do, it is trivial to add password protection from inside of cPanel.

None of these will affect your coding, or require anything that you can make a mistake with. Placing that right in your document root should be easy, and you can simply remove the lines when you're ready to launch.

Answer 3

If I understand right, what you wand is to create a "maintenance mode" for your site?

If so, you can create a config.ini file like:

maintenance_mode=true ;Use true or false here
maintenance_access_ip="your_ip_here" ;Use your external ip. Example: "192.168.0.1"

And put the following code in the top of your scripts:

$configs = parse_ini_file('path/to/config.ini');

if(
    $configs['maintenance_mode'] 
    && $_SERVER['REMOTE_ADDR'] != $configs['maintenance_access_ip']
){
    //Redirect your user to a page informing your user that your service is down
    header('Location: maintenance.php');
    die();
}

Answer 4

You need to validate Your Index page with Your IP Address. Follow the below code for this

if($_SERVER['REMOTE_ADDR']=="YOUR IP ADDRESS")
{
    //Your Index Page Code
}else
{
    echo "Not Accessable";
}

other wise do like this. Put below code in top of index page

if($_SERVER['REMOTE_ADDR']!="YOUR IP ADDRESS")
{
    //exit or die
}