Restricting Folder Access

scorp

I have a PHP/MySQL site that I am developing and can't seem to find out how to restrict access to a folder to only users who are logged in to the site.

When I have asked people about how to do this they keep gicing me code for restricting access to files, but as its a folder I don't believe this would work.

Thanks

paul088

Folder restriction is normally accomplished through HTTP authentication. You can find a lot of information on this by searching the net (e.g. yahoo) using keywords like these:

http-authentication php script

Alternatively you can go to php scripts banks (hotscripts.com scriptsearch.com, etc) to get working scripts. This method is not ideal because it tends to remember the login, and never expires. Protecting each page using session is still a way to go, unless someone knows a way to protect folder using session.

Good luck,

Paul

freakonaleash

Originally posted by scorp
I have a PHP/MySQL site that I am developing and can't seem to find out how to restrict access to a folder to only users who are logged in to the site.

When I have asked people about how to do this they keep gicing me code for restricting access to files, but as its a folder I don't believe this would work.

Thanks

If your host is running nix of some nature u can use .htaccess files

scorp

Thanks guys, this should help me out.

If you think of anything else though, don''t be afraid to tell me :p

leetcrew

i'm afraid...


<?php
  if (!isset($_SERVER['PHP_AUTH_USER'])) {
    header('WWW-Authenticate: Basic realm="My Realm"');
    header('HTTP/1.0 401 Unauthorized');
    echo 'Text to send if user hits Cancel button';
    exit;
  } else {
    echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
    echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</p>";
  }
?>

or -

<?php
  function authenticate() {
    header('WWW-Authenticate: Basic realm="Test Authentication System"');
    header('HTTP/1.0 401 Unauthorized');
    echo "You must enter a valid login ID and password to access this resource\n";
    exit;
  }

  if (!isset($_SERVER['PHP_AUTH_USER']) ||
      ($_POST['SeenBefore'] == 1 && $_POST['OldAuth'] == $_SERVER['PHP_AUTH_USER'])) {
   authenticate();
  } 
  else {
   echo "<p>Welcome: {$_SERVER['PHP_AUTH_USER']}<br>";
   echo "Old: {$_REQUEST['OldAuth']}";
   echo "<form action='{$_SERVER['PHP_SELF']}' METHOD='POST'>\n";
   echo "<input type='hidden' name='SeenBefore' value='1'>\n";
   echo "<input type='hidden' name='OldAuth' value='{$_SERVER['PHP_AUTH_USER']}'>\n";
   echo "<input type='submit' value='Re Authenticate'>\n";
   echo "</form></p>\n";
  }
?>

scorp

Where abouts would you put that code to restrict access to a foler?

leetcrew

name it as index.php3 or index.php

scorp

And put it in the folder you want to prevent access to?
Will that really restrict access to the whole folder and everything thats in it?

suntra

Personnally, what I would do is to put "access reduced" directories in a place unaccessible from the Web and make a script which first checks if the user is authenticated, and after, lists the content of a certain directory (including other directories)...

Arc

Umm doesnt CHMOD take care of folder access? I mean atleast doesn't allow any access to any file inside the folder if you set it to 000.