Securing HTML files

alflow

I have a bunch of HTML files I would like to secure - only authorised users can view them.

For expediency, I would like to include the following in the .htaccess file (sourced from askapache.com):

AddHandler mywrapper .html
Action mywrapper /secure.php

secure.php would then be:

<?php
session_start();
if(!$_SESSION['authorised']){
	die('<p>You are not authorised to access this content!</p>');
} else {
	// The HTML should be displayed
}
?>

The problem is, when I either (by inserting appropriate code under [FONT="Courier New"]// The HTML should be displayed[/FONT]):

redirect to the HTML ([FONT="Courier New"]header("Location: content.html")[/FONT]), I end up with an endless loop (being redirected back to secure.php), or
trying to readfile ([FONT="Courier New"]readfile("content.html")[/FONT]) ends up redirecting to secure.php, with [FONT="Courier New"]$_SESSION['authorised'][/FONT] being deregistered.

Can someone suggest how to make the above work?

Thanks
Alfred

halojoy

hi.

If we say you browse to 'content.html',
which is a page you have and want to be secure.

I think one 'secure.php' has to be in same directory as 'content.html'.
Or eventually, 'secure.php' should be in doc_root of your site,
normally /htdocs/

Also notice, you can still use extension '.htm' (pagename.htm) for non-secure stuff.

What happens if you change 'secure.php' to using this code.
Nothing more, no header or no readfile.
Try, just use this, as your secure.php

<?php

session_start();

if( !isset($_SESSION['authorised']) ){
    exit(
             '<p>You are not authorised to access this content!</p>
              <p>You can login <a href="login.php">here</a>.' 
    );
}

?>

'login.php' should of course have

<?php

session_start();
// if correct user/pass
$_SESSION['authorised'] = true;

?>

NogDog

Another option would be to use .htaccess to have .html files in that directory processed as PHP, and include an auto_prepend_file to do the validation:

.htaccess:

AddType application/x-httpd-php .html
php_value auto_prepend_file './login.php'

<?php
if(!isset($_SESSION['authorized']))
{
   die("You do not have permission to view this page.");
}
?>

cretaceous

just want to say awesome tip Nogdog!