Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Allowing only logged in users access files

Options
  • 28-08-2003 4:59pm
    #1
    Draco
    Subscribers Posts: 1,911 ✭✭✭


    I'm building a website at the moment that has some memeber only areas.
    In these areas members can access various bits of content that have been put up. Obviously I don't want the great unwashed to access these pages.
    At the moment I have a .htaccess file that has "deny from all" in it and I grab the requested file with a piece of PHP. This is all well and good for most of the content. However some of the content is linked HTML pages so this method won't do.

    Any suggestions how to allow access to these sections? I've been trying to figure out a way of getting the .htaccess call a PHP script that will check if who ever is accessing the file is logged in.
    I'm writing this in PHP with a MySQL back end.


Comments

  • Options
    #2
    str8_away
    Registered Users Posts: 629 ✭✭✭str8_away


    Not sure about PHP but in ASP I would assign user a value at login as session variable.

    On the page I would put an if statement.
    if session("login") = true then
    write out link/ file message etc
    end if

    Do PHP has session variable?


  • Options
    #3
    The Corinthian
    Closed Accounts Posts: 19,777 ✭✭✭✭The Corinthian


    Keep the files in a completely seperate directory - .htaccess protected, if not outside htdocs directory or even in a database (using a blob field type, if using MySQL, for example).

    Then using a PHP script, validate your user and if validated output the file with the appropriat content-type ("unknown" if you want the browser just to prompt a download), etc.

    Here's something I wrote some time ago:
    [PHP]
    /*
    db_Open(), db_Close(), db_ValidateUser() and db_getItem()
    are external functions, abstracting DB logic.
    */

    db_Open();
    if (db_ValidateUser($id)) {
    $a_Item = db_getItem($id);
    header("Content-Type: ".$a_Item["mimetype"]);
    header("Content-Disposition: inline");
    header("Content-Length: ".strlen($a_Item["data"]));
    echo $a_Item["data"];
    }
    db_Close();
    [/PHP]


  • Options
    #4
    Typedef
    Closed Accounts Posts: 5,564 ✭✭✭Typedef


    If using apache.

    You need a .htaccess file in the pertinent directory to be protected.

    Google for ".htaccess" and "constructing nuclear weapons for fun and profit".

    Hmm. reading the rest of your post though.

    In an apache directory hirearchy

    /usr/apachedocdir/blah

    blah should be the Document Root of a Virtual Domain. From there "all" content that resides in that Directory (and consequently that Virtual Domain)... is protected.


  • Options
    #5
    Draco
    Subscribers Posts: 1,911 ✭✭✭Draco


    Originally posted by The Corinthian
    Keep the files in a completely seperate directory - .htaccess protected, if not outside htdocs directory or even in a database (using a blob field type, if using MySQL, for example).

    Then using a PHP script, validate your user and if validated output the file with the appropriat content-type ("unknown" if you want the browser just to prompt a download), etc.
    I already have something like that working. the problem is when the page returned refers to another page in the protected directory. It was suggested to me that I should look into rewrite rules.


Advertisement