Page 1 of 1

Use .htaccess and PHP session together - is it possible?

Posted: Tue Apr 25, 2006 5:32 am
by ecce
This may be an apache question more that actual PHP, but anyway:

Is it possible to write a few lines in a .htaccess file that only allows the contents of that folder to be viewed by those who have $_SESSION['username'] set? I need to protect the contents of a folder for those who are not yet logged onto the site.

Re: Use .htaccess and PHP session together - is it possible?

Posted: Tue Apr 25, 2006 6:07 am
by Chris Corbyn
ecce wrote:This may be an apache question more that actual PHP, but anyway:

Is it possible to write a few lines in a .htaccess file that only allows the contents of that folder to be viewed by those who have $_SESSION['username'] set? I need to protect the contents of a folder for those who are not yet logged onto the site.
Why not just do this at the top of each file?

Code: Select all

<?php

session_start();
if (!isset($_SESSION['username'])) header("Status: 404 Not Found");

?>
You could auto_prepend that using .htaccess I think too.

Posted: Tue Apr 25, 2006 7:06 am
by ecce
I store Cisco proprietary materials on the server, and modifying the .html files is a bad idea. Unauthorized people should not be able to access the material by entering a direct URL.

Posted: Tue Apr 25, 2006 8:00 am
by Chris Corbyn
ecce wrote:I store Cisco proprietary materials on the server, and modifying the .html files is a bad idea. Unauthorized people should not be able to access the material by entering a direct URL.
With the correct headers being sent back to the browser the client will see the same as if the user entered in invalid URL. If all the file are .html then set the web server to parse .html with the PHP interpreter and use auto_prepend_file to include a bit of code that does a check then sends headers end exits if there's a problem (I think that's what the ini setting is).

Posted: Tue Apr 25, 2006 11:32 am
by John Cartwright
worth noting you might want to a call exit() directly after the header() call to avoid other code from possibly being run.

Posted: Mon May 01, 2006 4:21 am
by ecce
feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


I think the suggested solution from d11wtq was a great idea, and I've tried to implement it. I ran into trouble, so please help me though this if you can. These are the .htaccess file and php code:

.htaccess
[syntax="apache"]
AddType application/x-httpd-php .html
AddType application/x-httpd-php .htm

php_value auto_prepend_file /var/www/html/curriculum/secure.php

secure.php[/syntax]

Code: Select all

<?php
session_start();
if(empty($_SESSION['username']))
{
	echo "You must be logged in to view the Cisco curriculum.<br />";
	echo print_r($_SESSION); //debug
	exit();
}
?>
It sure runs the php script, but the $_SESSION array is totally empty, although I am logged in. The link is opened in a new window, but that usually doesn't bother sessions as long as it is the same browser, right? If I remove all of the URL exept the server name and hit enter (so I get to the start page) it says I'm logged in.


feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]