PHP: make folder files accessible, only after successful login

Right now on my website, I was able to redirect the user after successfully logging in to the page www.mysite.com/protected_files/redirect.php

using something like this on my www.mysite.com/login.php page:

if( login was successful)
{
    include('protected_files/redirect.php');
}

      

A folder with the name www.mysite.com/protected_files

contains a file .htaccess

,

 # This file prevents that your .php view files are accessed directly from the outside
 <Files ~ "\.(htaccess|php)$">
 order allow,deny
 deny from all
 </Files>

      

which calls all the .php files in the folder protected_files

to give users a 403 error when they type in their browserwww.mysite.com/protected_files/phpfile1.php

This is where the function include('protected_files/anyphpfile.php')

comes in handy.

Now I'm trying to figure out how to redirect the user from protected_files/phpfile1.php

to protected_files/phpfile2.php

from the menu bar.

<a href="www.mysite.com/protected_files/phpfile2.php">page2</a>

doesn't work (403 error) because it belongs to the folder protected_files

that has the file .htaccess

and makes it inaccessible to the url.

My solution on this matter was something like:

//code in `www.mysite.com/redirect.php`
if ($_GET['page'] == "phpfile2") {
include("phpfile2.php");
} else {    
include("phpfile1.php");
}

      

This means that after a successful login, users will be sent www.mysite.com/protected_files/phpfile1.php

by default (s $_GET['page'] == ""

)

The user is now in phpfile1.php

and he can click the link <a href="?page=phpfile2">phpfile2</a>

to go to phpfile2.php

. That being said, his browser first shows www.mysite.com/login.php

, and after he clicks on the link, he shows www.mysite.com/login.php?page=phpfile2

.

What I'm trying to do is not to show www.mysite.com/login.php?page=phpfile2

The URL-address when the user is on a page phpfile2.php

, but to display the actual path to the file , whichwww.mysite.com/protected_files/phpfile2.php

How can I achieve this in this particular case?

Can I change .htaccess

so that it protected_files

becomes available (no more than 403) after a successful login? Should I change the way I completely created this site?

Basically, at the end of the day, I want to have a folder named protected_files

that contains the .php files only accessible to the user after a successful login.

+3


source to share


3 answers


Edit

 <Files ~ "\.(htaccess|php)$">
 order allow,deny
 deny from all
 </Files>

      

to

 <Files ~ "\.(htaccess|include)$">
 order allow,deny
 deny from all
 </Files>

 <Files ~ "\.php$">
 php_value auto_prepend_file "session_check.include"
 </Files>

      



Then check session_check.include

to check if the user is logged in; if not, call exit()

. Then each file in the directory checks to see if the user is logged in; if they are not, it will exit. If they are, the file will continue as usual.

This way, you don't have to do a bunch of tricks rewriting incoming and outgoing requests to match some kind of fake map - are you just letting each file load "not logged in yet"? check as the first thing it does.

See How to change configuration settings for documentation on how it works php_value

, and Description of the main php.ini directives for documentation onauto_prepend_file

+1


source


This seems like a bad approach, I would instead keep a secure folder outside of docroot (so you won't need to use the .htaccess file) and have a gateway script that authenticates the user before redirecting (via a variable stored in the session that indicates this).



Right now, anyone who knows the parameter you are expecting via GET will be able to figure out the url where your protected files are located and will be able to access them if you use a gateway script that authenticates the user before providing access to those files, this will make your files more secure.

+2


source


In your htaccess file - the volume relative to index.php, not in a hidden folder that blocks everything - you can add something like this:

RewriteEngine On
RewriteBase /
Options FollowSymLinks
RewriteRule ^admin$ index.php?a=admin [L]

      

and then all links to / admin will be redirected without changing the url string.

+1


source







All Articles