Lock PHP Session to 1 Dir

brooky

Hi there,

I'm using code like this:

$sessionDomain = "/membersonly";
@ini_set("session.cookie_path",$sessionDomain);

session_start();

This works and the session only works for that folder of the site.

BUT if sessions are not cookie based they can still access the rest of the site?!

Is there a way to lock the session to a certain directory for php sessions which don't use cookies?

I can't find a solution.

drew010

the only way to do it is most likely programatically, like set a session var that represents the directory where the session is allowed to be executed. on all session pages, check that session var and if it points to a path other than the one they are in, then exit the execution or go to the default page.


$_SESSION['allow_path'] = '/members';  //the base folder for sessions

//check to see that the current path of the script, is the same as the allow path
if (strpos(dirname($_SERVER['PHP_SELF']), $_SESSION['allow_path']) !== 0) {
  echo "wrong path";
} else {
  echo "right path";
}

this works so that if they are viewing /members/page.php and the allow_path is /members, they will be allowed to view the file.

if they are viewing /members and the allow_path is /members/protected they will NOT be allowed to view the file.

and note also if they are viewing /members/anotherfolder/page.php and the allow_path is /members, they will also be able to view the file.

hope that helped.

brooky

Thanks you are very kind, it makes perfect sense and I'll give it a try. 😉