Protecting files in a directory....

sazbo

I set up a simple login script that protects PHP files within the directory. That is, those files are not viewable without loggin in (session variables). But how do I protect other non-PHP files within the directory without using Windows Authentication?

Is it secure to use session variables for login scripts?

nancy-jo

The PHP files can only control the PHP portion. Apache or IIS need to control the files that are not dealt with by the PHP Processor.

The session variables are not usually the weak link in the authentication/authorization process, it is more likely to be the authentication portion, as someone who is able to guess/brute hack a valid UID/password combination.

wscreate

There is some insecurity with sessions as they are written to a file on the server.

I don't know how exactly you want to protect these files, but if you are trying to protect them from web access, then why not use .htaccess for validation?

cakkafracle

Beware the WGET app

i posted this already in another thread, but all the php-authentication scripts in the world will not stop someone from grabbing your files with

'wget http://domain.com/secret/file.php'

you really need Web Server level protection, like .htaccess on Apache or whatever Winblows uses for IIS.

trust me, I'm no one.