protect non-php files?

satch

Greetings..

I am building a member area using a php/mysql login. Basically once a user registers, they can log in and view pages 'inside' the member directory. I use an authentication script checking the session_id() to do the login.

Problem is this: That works great for all php files I run the authentication script on but when a user directly links to a file inside the directory they can see it without ever logging in.

I know how the .htaccess/.httpasswd works for this but I don't like the big login box it comes with and it takes a while to sort through the list of users (big list). Is there a way to use a database of users and a login script that will create a valid $PHP_AUTH_USER so I can have a .htaccess file protecting all of the non-php files? I would need the .htaccess file to 'require valid-user' but only redirect to login script, not show the big dumb box.

Thanks in advance!
:bemused:

devinemke

2 suggestions:

store the sensitive pages outside of your document root. once a user is logged in, serve them up via the [man]header[/man] fucntion.
store the sensitive pages inside of your document root and CHMOD them to be non-readable by the outside world and again serve them up via the [man]header[/man] fucntion.

satch

now, problem is this. The end user would like to be able to build pages inside the log in section that are html. He basically wants me to build a an area on his site that people need to log in to have access to all inside... hmm..

otherwise your idea would be perfect.

devinemke

you could build your own front end that allows users to build/upload HTML docs that places them outside the doc_root and/or CHMODs them to be non-readable.

mtmosier

Another method of securing non-php files is discussed here.