There are several HTTP status codes that are appropriate to use when denying access to a user. Earlier, we used the response code of 401 Unauthorized
to control HTTP authentication. The response status code of 403 Forbidden
is appropriate if an explanation as to why access has been denied is required. Example 9-5 uses the code of 403 Forbidden
. The HTTP/1.1 standard describes 17 4xx
status codes that have various meanings. The infamous 404 Not Found
is returned by Apache if the requested resource doesn't exist, and a PHP script can return this code if the exact reason for the refusal needs to be hidden. The code 402 Payment Required
has been included, but the HTTP standard has not provided an interpretation of how it should be used.
Limits placed on IP addresses
A PHP script can access the IP address from which a request was sent by inspecting the server variable $REMOTE_ADDR
. This remote address can restrict access. A simple example allows access only from a specific IP address. This can be used to implement administration scripts that allow access only from a specific computer. A variation, shown in Example 9-5, is to allow access to users on a particular network subnet. Example 9-5 limits access to the main content of the script to requests sent from clients with a range of IP addresses that begin with 141.190.17
.
Example 9-5. PHP script that forbids access from browsers outside an IP subnet
<?php if(strncmp("141.190.17", $REMOTE_ADDR, 10) != 0) { header("HTTP/1.0 403 Forbidden"); ?> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd" > <html> <head><title>Marketing Department</title></head> <body> <h2>403 Forbidden</h2> <p>You cannot access this page from outside the Marketing Department. </body> </html> <? exit; } ?> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd" > <html> <head><title>Marketing Department</title></head> <body> <h2>Marketing secrets!</h2> <p>Need new development team - the old one says <em>No</em> far too often. </body> </html>
Another limit that can be applied using the IP address is to help prevent session hijacking-a problem discussed later in this chapter.