Hi I am looking for away to password protect a website directory WITHOUT .htaccess or at least the standard .htaccess/htpasswd system I have password protected sites before using sessions which work fine but require you to put the session code onto every page I am wondering if there is away to "session proof" a directory with just one file that will auto-protect the whole folder and give functions like "log off" I have tried googling it but have found nothing I want
Welll, yes. Just create an index.php file with a login-form, and base the showing of content on whether or not the person has logged in?
But how will that protect other files in the directory If I have it set up on index.php but another file called aboutus.php and someone types in mysite.com/aboutus.php
That you cannot really do unless you use .htaccess, or at least provide some sort of check on other files - direct linking has to be avoided, and so has directory listings and such. But you cannot protect all other files in a directory without actually having some sort of directory-wide protection, which you cannot get from a single php-file, at least not without a hell of a lot of trouble. You could, probably, make a check to see if a user tries to open other files via the index.php (with the login-info), but it would probably be both insecure and possible to circumvent.
Thanks for your help I am probably going to use a .htaccess/htpasswd system as it seems the easiest option
It's totally possible to do something like this: Use mod rewrite to rewrite all urls to index.php index.php can check the file path and the session/login if the user is allowed access you would use PHP to 'passthrough' the desired file you may need to set certain headers with php depending on what is being passed Anyway, I don't think you want to use that but it is a possible example.
Why do you want to protect a directory that is in public… ? … If shouldn’t be in public_html than you should have it there and give access to those that fulfill your criteria … (not everything should be in public)
Yes, if you let every page pass through index.php, so the URL will be index.php?page=your_page_name and page include code will look like this include $_GET['page'].".php"; PHP:
As I mentioned before. New URL will be http://www.mydomain.com/index.php?page=your_page_name PHP: and index.php will include page dynamically <?php include $_GET['page'].".php"; ?> PHP:
And I ask again - WHAT exactly, is gonna prevent me from going to the underlying page directly? Say you have "personalinfo.php" - your solution would show this page if I use http://www.mydomain.com/index.php?page=personalinfo Code (markup): - BUT! If I just type http://www.mydomain.com/personalinfo.php Code (markup): it will also show, just fine. Note: this does not cater for other types of files either, so... hopeless, is the word I'm looking for. Or no understanding of what is being asked.
It is a work around for @saturn100 problem. But if you really want a secure way then use CI. In CI everything goes through index.php.
Huh? The OP wanted a way to SECURE a directory (no access to any files apart from index.php) and you're providing a no-security option which doesn't even lend any obscurity to what the filenames are, nor provide any way of loading files which aren't .php-files. Hence: it's garbage. And why the hell would I use CI to password-protect or secure a directory? It can be done in two minutes using .htaccess / .htpasswd
For security, you have 2 options both of which you need htaccess. First would be to use htaccess/htpasswd to password protect directories. Second (like mentioned above) would be to use a backend authentication system using php/asp/java/etc., which also need htaccess to block access to all files so your backend system would be the only entry point to such files.
It's NOT A WORKAROUND. It provides no security and allows direct access to any file in the directory as long as you know the filename - which you will, since the way you're including them relies directly on the filenames. The only "security" your solution provides is that you don't get a directory listing of all the files, due to having an index.php. Your solution doesn't work. EoD.
It is easy. Just paste below code at the top of the page if (!defined('BASEPATH')) exit('No direct script access allowed'); PHP: and define "BASEPATH" in index.php before including .php file define('BASEPATH', 'domain URL'); PHP: