PHP Sessions and .htaccess

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
ripcurlksm
Forum Commoner
Posts: 34
Joined: Sun Aug 08, 2004 9:17 pm

PHP Sessions and .htaccess

Post by ripcurlksm »

I have a section of a website that is password protected for members only and I use PHP sessions to keep the connection alive between pages. While logged in they have access to a series of internal links to a subdirectory of html files that pop into a new window... however this directory it is not protected. ... unless you know the exact URL, you pretty much cant find it... but I am concerned that people are copying the link and sending it to other people who are not subscribers.

Is it possible to setup some sort of .htaccess on a certain directory, in which the user would be prompted for a username and password unless they were already logged in? Meaning is it possible to pass a PHP session username and password to a .htaccess-protected directory? If they are logged in already they see the page/directory, if they are not logged in they get the .htaccess prompt.

Is there a way to do this or can someone recommend a better method of handling this?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Use a PHP script.
ripcurlksm
Forum Commoner
Posts: 34
Joined: Sun Aug 08, 2004 9:17 pm

Post by ripcurlksm »

So it can be done... I have never used .htaccess before. Just wanted to confirm?
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

You don't need to bother with .htaccess for this.

Your files that that load in the new window can be protected with a small piece of PHP at the beginning, something like this:

Code: Select all

<?php

if(!isset($_SESSION['logged_in']) || ($_SESSION['logged_in'] != true))
{
   die('Please log in to access this content.');
}

?>
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
CoderGoblin
DevNet Resident
Posts: 1425
Joined: Tue Mar 16, 2004 10:03 am
Location: Aachen, Germany

Post by CoderGoblin »

scottayy wrote:

Code: Select all

die('Please log in to access this content.');
I'd prefer to redirect them to either a login screen or alternatively to the home page using header.

Code: Select all

if (empty($_SESSION['user_id'])) {
  header("Location: http://mywebpage.com/login.php");
  exit;
}
Having a php solution is probably more maintainable in the long run.
ripcurlksm
Forum Commoner
Posts: 34
Joined: Sun Aug 08, 2004 9:17 pm

Post by ripcurlksm »

Guys, the files I am trying to protect are .htm Microsoft Publisher files, not PHP files. Which is why I choose .htaccess... Please advise.
Begby
Forum Regular
Posts: 575
Joined: Wed Dec 13, 2006 10:28 am

Post by Begby »

There isn't a good way to do what you want that I know of using .htaccess.

The best way using php would be to store the .htm files outside of the root, then stream them using a php script.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

You're not going to do it the way you are trying to now. If they are static HTML pages they can be called regardless of a users logged in status. You would be better making them PHP files (easily, as scottayy has stated) and putting a simple log in script in action to prevent them from calling the files without being authenticated.
ripcurlksm
Forum Commoner
Posts: 34
Joined: Sun Aug 08, 2004 9:17 pm

Post by ripcurlksm »

If they are static HTML pages they can be called regardless of a users logged in status.
Not if the directory the HTML files are sitting in are protected though right?
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Right, but then you get into that issue of putting them behind some form of HTTP authentication. Regardless, something is going to have to manage the authentication of users in that directory. It would be very easy to make them all PHP files and protect them using PHP.
Post Reply