protect directories depending on username

assonitis

Hi all,

I have created a PHP auth system. My site has several directories under one main directory 'downloads' (i.e. under the directory 'downloads' I have a directory for each client). What I want to do is allow my clients accessing only their directory and not the others.

Any idea how to do that?

thanks for your help

ednark

basics w/o code:

you need to use [man]session[/man]s:

1) set up a place for username in session

2) have some login page set the username in the session

3) each page that authenticates has to look for a username in the session, if it is there they must have gone through the login page ok, if username does not exist or it is empy, they must not have logged in and they can be booted

4) look at the username, if it matches the person who should be able to look at the directory, pass, otherwise boot them.

code won't do any good without knowing if you have

1) register_globals on or off
2) session_autostart in php.ini

if you have

1) register_globals off
2) session_autotstart on

the code should looks something like this

### login.php

if ( isset($_POST['username']) && isset($_POST['password']) ) {
    if ( loginOk($_POST['username'],$_POST['password']) ) {
       $_SESSION['username'] = $_POST['username'];
    } else {
        unset($_SESSION['username'])
        showTheLoginForm();
    }
}

### authenticated page

if ( empty($_SESSION['username']) || $_SESSION['username'] != 'ednark' ) {
    bootInTheArse();
}

ednark

php can also use the http auth scheme

the browser itself pops up a little password box similar to what happend whtn you use a .htaccess file with apache... exept the server does not actually use the name and password, it just lets it slide along to php

http://www.php.net/manual/en/features.http-auth.php

to instigate this however you must send out the http header to ask the browser to pop up the little window...

(not 100%, so please some correct me if im wong)
i believe this will just store the name and password in the actual broswer, and the browser will send across the usename and password again with ecvery page request.... so the problem is that encryption does not exist with this method, plain text passwords are flying across each page request...

ednark

weepacket gave a similar if better explaination in another thread... try checking it out... sometimes hearing the same thing different ways will help out

http://www.phpbuilder.com/board/showthread.php?s=&threadid=10217879

ednark

am i just trying to run my posts number up... hmmm... naw

assonitis

Originally posted by ednark
am i just trying to run my posts number up... hmmm... naw

Hi Ednark,

thanks for the replies....

I know how to authenticate the user I have already done that, but how can I make him see all the availalbe directories but can only access his/hers?

bastien

Originally posted by assonitis

I know how to authenticate the user I have already done that, but how can I make him see all the availalbe directories but can only access his/hers?

why? consider it need to know and they don't need to know...why expose more facets of you application than you need to?

but in answer, i would create each folder as an image or text LINK and then only add the link code to the folder that is theirs....
hth