PHP: make folder files accessible, only after successful login
Right now on my website, I was able to redirect the user after successfully logging in to the page www.mysite.com/protected_files/redirect.php
using something like this on my www.mysite.com/login.php page:
if( login was successful)
{
include('protected_files/redirect.php');
}
A folder with the name www.mysite.com/protected_files
contains a file .htaccess
,
# This file prevents that your .php view files are accessed directly from the outside
<Files ~ "\.(htaccess|php)$">
order allow,deny
deny from all
</Files>
which calls all the .php files in the folder protected_files
to give users a 403 error when they type in their browserwww.mysite.com/protected_files/phpfile1.php
This is where the function include('protected_files/anyphpfile.php')
comes in handy.
Now I'm trying to figure out how to redirect the user from protected_files/phpfile1.php
to protected_files/phpfile2.php
from the menu bar.
<a href="www.mysite.com/protected_files/phpfile2.php">page2</a>
doesn't work (403 error) because it belongs to the folder protected_files
that has the file .htaccess
and makes it inaccessible to the url.
My solution on this matter was something like:
//code in `www.mysite.com/redirect.php`
if ($_GET['page'] == "phpfile2") {
include("phpfile2.php");
} else {
include("phpfile1.php");
}
This means that after a successful login, users will be sent www.mysite.com/protected_files/phpfile1.php
by default (s $_GET['page'] == ""
)
The user is now in phpfile1.php
and he can click the link <a href="?page=phpfile2">phpfile2</a>
to go to phpfile2.php
. That being said, his browser first shows www.mysite.com/login.php
, and after he clicks on the link, he shows www.mysite.com/login.php?page=phpfile2
.
What I'm trying to do is not to show www.mysite.com/login.php?page=phpfile2
The URL-address when the user is on a page phpfile2.php
, but to display the actual path to the file , whichwww.mysite.com/protected_files/phpfile2.php
How can I achieve this in this particular case?
Can I change .htaccess
so that it protected_files
becomes available (no more than 403) after a successful login? Should I change the way I completely created this site?
Basically, at the end of the day, I want to have a folder named protected_files
that contains the .php files only accessible to the user after a successful login.
source to share
Edit
<Files ~ "\.(htaccess|php)$">
order allow,deny
deny from all
</Files>
to
<Files ~ "\.(htaccess|include)$">
order allow,deny
deny from all
</Files>
<Files ~ "\.php$">
php_value auto_prepend_file "session_check.include"
</Files>
Then check session_check.include
to check if the user is logged in; if not, call exit()
. Then each file in the directory checks to see if the user is logged in; if they are not, it will exit. If they are, the file will continue as usual.
This way, you don't have to do a bunch of tricks rewriting incoming and outgoing requests to match some kind of fake map - are you just letting each file load "not logged in yet"? check as the first thing it does.
See How to change configuration settings for documentation on how it works php_value
, and Description of the main php.ini directives for documentation onauto_prepend_file
source to share
This seems like a bad approach, I would instead keep a secure folder outside of docroot (so you won't need to use the .htaccess file) and have a gateway script that authenticates the user before redirecting (via a variable stored in the session that indicates this).
Right now, anyone who knows the parameter you are expecting via GET will be able to figure out the url where your protected files are located and will be able to access them if you use a gateway script that authenticates the user before providing access to those files, this will make your files more secure.
source to share
In your htaccess file - the volume relative to index.php, not in a hidden folder that blocks everything - you can add something like this:
RewriteEngine On
RewriteBase /
Options FollowSymLinks
RewriteRule ^admin$ index.php?a=admin [L]
and then all links to / admin will be redirected without changing the url string.
source to share