PHP protected directory

[thezone1]

Ok so i just spent like three days setting up a php member system with all the trimmings, added user directorys (so they can upload files) then i realised thers nothing stopping someone just typing the address of the file in the url bar.

is there anyway to protect these directorys without .htaccess files since i want the user to be able to log into the site and just have access to there stuff

 

[TechAsh]

Make sure that all php files in your members directories have the code to check whether that user is logged in or not.
If you have done that the add the following to a .htaccess file

Options -Indexes

This will stop people from trying to view a directory listing.

Try both of those and see if it works, then post back.

 

[Hazirak]

You could simply start a session when the user logs in... then on every page that you want to be 'members only', simply check a session variable to see if it's set or not. Since you're only starting the session when the user successfully logs in, the variable won't even exist if they haven't signed in yet.

You could also have a session open for every user who visits, and set a variable to "false" for guests and "true" for members. 'Members only' pages can just check to see if the variable is set to true or false.

Example of the first:

<?php
//Logon page
session_start();
$_SESSION['login'] = true;
?>

<?php
//'Members only' pages
if (!$_SESSION['login']) {
header('Location: login.php');
}
?>

<?php
//When a user logs out
session_destroy();
?>

Just keep in mind that the session_start() and header() functions must be the very first line on the page, even before the <html> tag.

 

[thezone1]

Thanks for the php tip, i already had a simlar system in place but without the guest option, good thinking batman lol. sadly it doesnt over come the problem of some one just typing the address. techash i did think of that myself at first but while it does stop the listing of the directory it doesnt stop someone from typing the full address with the file name i know this would have to be a wild guess but its a risk i just dont want to take.

I did think of say for instance not showing the url in the address bar but instead a randomly generated one thats never the same ? anyone have any ideas on this

 

[Hazirak]

It would last about five seconds. Mouse over a link and look in your browser's status bar, and you'll see why.

JavaScript has the ability to change a status bar, but all you would have to do to bypass that is turn off JavaScript, or right-click on a link, select properties, and look at where it points to.

It also just occurred to me that you can use JavaScript to disable right-clicking, but again, just turn off JavaScript.

 

[Sohail]

You can use .htaccess to password protect directories if that's what you need?

 

[thezone1]

yes but then that would require a user to re type their user name and password not only that it would take a long time to make all the .htaccess files for all users