Page 1 of 1
PHP Sessions and .htaccess
Posted: Tue May 15, 2007 11:30 pm
by ripcurlksm
I have a section of a website that is password protected for members only and I use PHP sessions to keep the connection alive between pages. While logged in they have access to a series of internal links to a subdirectory of html files that pop into a new window... however this directory it is not protected. ... unless you know the exact URL, you pretty much cant find it... but I am concerned that people are copying the link and sending it to other people who are not subscribers.
Is it possible to setup some sort of .htaccess on a certain directory, in which the user would be prompted for a username and password unless they were already logged in? Meaning is it possible to pass a PHP session username and password to a .htaccess-protected directory? If they are logged in already they see the page/directory, if they are not logged in they get the .htaccess prompt.
Is there a way to do this or can someone recommend a better method of handling this?
Posted: Wed May 16, 2007 12:09 am
by feyd
Use a PHP script.
Posted: Wed May 16, 2007 12:24 am
by ripcurlksm
So it can be done... I have never used .htaccess before. Just wanted to confirm?
Posted: Wed May 16, 2007 1:38 am
by s.dot
You don't need to bother with .htaccess for this.
Your files that that load in the new window can be protected with a small piece of PHP at the beginning, something like this:
Code: Select all
<?php
if(!isset($_SESSION['logged_in']) || ($_SESSION['logged_in'] != true))
{
die('Please log in to access this content.');
}
?>
Posted: Wed May 16, 2007 2:45 am
by CoderGoblin
scottayy wrote:Code: Select all
die('Please log in to access this content.');
I'd prefer to redirect them to either a login screen or alternatively to the home page using
header.
Code: Select all
if (empty($_SESSION['user_id'])) {
header("Location: http://mywebpage.com/login.php");
exit;
}
Having a php solution is probably more maintainable in the long run.
Posted: Wed May 16, 2007 10:31 am
by ripcurlksm
Guys, the files I am trying to protect are .htm Microsoft Publisher files, not PHP files. Which is why I choose .htaccess... Please advise.
Posted: Wed May 16, 2007 10:55 am
by Begby
There isn't a good way to do what you want that I know of using .htaccess.
The best way using php would be to store the .htm files outside of the root, then stream them using a php script.
Posted: Wed May 16, 2007 1:45 pm
by RobertGonzalez
You're not going to do it the way you are trying to now. If they are static HTML pages they can be called regardless of a users logged in status. You would be better making them PHP files (easily, as scottayy has stated) and putting a simple log in script in action to prevent them from calling the files without being authenticated.
Posted: Wed May 16, 2007 11:35 pm
by ripcurlksm
If they are static HTML pages they can be called regardless of a users logged in status.
Not if the directory the HTML files are sitting in are protected though right?
Posted: Thu May 17, 2007 10:40 am
by RobertGonzalez
Right, but then you get into that issue of putting them behind some form of HTTP authentication. Regardless, something is going to have to manage the authentication of users in that directory. It would be very easy to make them all PHP files and protect them using PHP.