1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

php password protect directory

Discussion in 'PHP' started by saturn100, Jan 28, 2014.

  1. #1
    Hi I am looking for away to password protect a website directory WITHOUT .htaccess or at least the standard .htaccess/htpasswd system

    I have password protected sites before using sessions which work fine but require you to put the session code onto every page
    I am wondering if there is away to "session proof" a directory with just one file that will auto-protect the whole folder and give functions like "log off"

    I have tried googling it but have found nothing I want
     
    saturn100, Jan 28, 2014 IP
  2. PoPSiCLe

    PoPSiCLe Illustrious Member

    Messages:
    4,623
    Likes Received:
    725
    Best Answers:
    152
    Trophy Points:
    470
    #2
    Welll, yes. Just create an index.php file with a login-form, and base the showing of content on whether or not the person has logged in?
     
    PoPSiCLe, Jan 28, 2014 IP
  3. saturn100

    saturn100 Well-Known Member

    Messages:
    465
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    111
    #3
    But how will that protect other files in the directory
    If I have it set up on index.php
    but another file called aboutus.php

    and someone types in mysite.com/aboutus.php
     
    saturn100, Jan 28, 2014 IP
  4. PoPSiCLe

    PoPSiCLe Illustrious Member

    Messages:
    4,623
    Likes Received:
    725
    Best Answers:
    152
    Trophy Points:
    470
    #4
    That you cannot really do unless you use .htaccess, or at least provide some sort of check on other files - direct linking has to be avoided, and so has directory listings and such. But you cannot protect all other files in a directory without actually having some sort of directory-wide protection, which you cannot get from a single php-file, at least not without a hell of a lot of trouble.
    You could, probably, make a check to see if a user tries to open other files via the index.php (with the login-info), but it would probably be both insecure and possible to circumvent.
     
    PoPSiCLe, Jan 28, 2014 IP
  5. saturn100

    saturn100 Well-Known Member

    Messages:
    465
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    111
    #5
    Thanks for your help
    I am probably going to use a .htaccess/htpasswd system as it seems the easiest option
     
    saturn100, Feb 3, 2014 IP
  6. FWH1

    FWH1 Peon

    Messages:
    8
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    1
    #6
    It's totally possible to do something like this:
    Use mod rewrite to rewrite all urls to index.php
    index.php can check the file path and the session/login
    if the user is allowed access you would use PHP to 'passthrough' the desired file
    you may need to set certain headers with php depending on what is being passed


    Anyway, I don't think you want to use that but it is a possible example.
     
    FWH1, Feb 3, 2014 IP
  7. jkon

    jkon Member

    Messages:
    12
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    36
    #7
    Why do you want to protect a directory that is in public… ? … If shouldn’t be in public_html than you should have it there and give access to those that fulfill your criteria … (not everything should be in public)
     
    jkon, Feb 5, 2014 IP
  8. webshore88

    webshore88 Well-Known Member

    Messages:
    130
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    123
    #8
    Yes, if you let every page pass through index.php, so the URL will be index.php?page=your_page_name and page include code will look like this
    include $_GET['page'].".php";
    PHP:
     
    webshore88, Feb 6, 2014 IP
  9. PoPSiCLe

    PoPSiCLe Illustrious Member

    Messages:
    4,623
    Likes Received:
    725
    Best Answers:
    152
    Trophy Points:
    470
    #9
    And exactly HOW is he gonna force all pages to go through index.php without a .htaccess?
     
    PoPSiCLe, Feb 7, 2014 IP
  10. webshore88

    webshore88 Well-Known Member

    Messages:
    130
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    123
    #10
    As I mentioned before. New URL will be
    http://www.mydomain.com/index.php?page=your_page_name 
    PHP:
    and index.php will include page dynamically
    <?php
    include $_GET['page'].".php";
    ?>
    PHP:
     
    webshore88, Feb 7, 2014 IP
  11. PoPSiCLe

    PoPSiCLe Illustrious Member

    Messages:
    4,623
    Likes Received:
    725
    Best Answers:
    152
    Trophy Points:
    470
    #11
    And I ask again - WHAT exactly, is gonna prevent me from going to the underlying page directly? Say you have "personalinfo.php" - your solution would show this page if I use
    http://www.mydomain.com/index.php?page=personalinfo
    Code (markup):
    - BUT! If I just type
    http://www.mydomain.com/personalinfo.php
    Code (markup):
    it will also show, just fine. Note: this does not cater for other types of files either, so... hopeless, is the word I'm looking for. Or no understanding of what is being asked.
     
    PoPSiCLe, Feb 7, 2014 IP
  12. webshore88

    webshore88 Well-Known Member

    Messages:
    130
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    123
    #12
    It is a work around for @saturn100 problem. But if you really want a secure way then use CI. In CI everything goes through index.php.
     
    webshore88, Feb 7, 2014 IP
  13. PoPSiCLe

    PoPSiCLe Illustrious Member

    Messages:
    4,623
    Likes Received:
    725
    Best Answers:
    152
    Trophy Points:
    470
    #13
    Huh? The OP wanted a way to SECURE a directory (no access to any files apart from index.php) and you're providing a no-security option which doesn't even lend any obscurity to what the filenames are, nor provide any way of loading files which aren't .php-files. Hence: it's garbage.
    And why the hell would I use CI to password-protect or secure a directory? It can be done in two minutes using .htaccess / .htpasswd
     
    PoPSiCLe, Feb 7, 2014 IP
  14. webshore88

    webshore88 Well-Known Member

    Messages:
    130
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    123
    #14
    saturn100 do not want to use .htaccess system that is why I suggest this work around.
     
    webshore88, Feb 7, 2014 IP
  15. ThePHPMaster

    ThePHPMaster Well-Known Member

    Messages:
    737
    Likes Received:
    52
    Best Answers:
    33
    Trophy Points:
    150
    #15
    For security, you have 2 options both of which you need htaccess.

    First would be to use htaccess/htpasswd to password protect directories.
    Second (like mentioned above) would be to use a backend authentication system using php/asp/java/etc., which also need htaccess to block access to all files so your backend system would be the only entry point to such files.
     
    ThePHPMaster, Feb 7, 2014 IP
  16. PoPSiCLe

    PoPSiCLe Illustrious Member

    Messages:
    4,623
    Likes Received:
    725
    Best Answers:
    152
    Trophy Points:
    470
    #16
    It's NOT A WORKAROUND. It provides no security and allows direct access to any file in the directory as long as you know the filename - which you will, since the way you're including them relies directly on the filenames.
    The only "security" your solution provides is that you don't get a directory listing of all the files, due to having an index.php.
    Your solution doesn't work. EoD.
     
    PoPSiCLe, Feb 8, 2014 IP
  17. webshore88

    webshore88 Well-Known Member

    Messages:
    130
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    123
    #17
    It is easy. Just paste below code at the top of the page
     if (!defined('BASEPATH')) exit('No direct script access allowed');
    PHP:
    and define "BASEPATH" in index.php before including .php file
    define('BASEPATH', 'domain URL');
    PHP:
     
    webshore88, Feb 8, 2014 IP
  18. PoPSiCLe

    PoPSiCLe Illustrious Member

    Messages:
    4,623
    Likes Received:
    725
    Best Answers:
    152
    Trophy Points:
    470
    #18
    And still you're assuming that all the files are other .php-files *headdesk*
     
    PoPSiCLe, Feb 8, 2014 IP