Forum Moderators: phranque
This has probably been discussed, and if so please just point me in a right direction -- could not find anything in google.
The objective is to restrict access to certain files on a server (apache2 on ubuntu) only to authorized users. Authorized users will have cookie/phpsession set up (the webpage is mostly in php).
The solutions I came up with so far were overly complex (create rewrite tables using the php session ids, etc) OR putting session id of the logged in users into a database and then making rewrite tables using that.
Any help is much appreciated.
Thanks,
A.
This is something I've thought about quite a bit lately, and my 'best thought' right now, is to put a PHP page in the middle that's rewritten to and performs the necessary checks, and if they are passed inlcude() the requested file, which could be passed 'silently' via query string...
Something like this should be close and give an idea of what I'm thinking...
RewriteEngine on
RewriteRule ^Protected/(DirName)/([^.]+\.ext)$ /Protecting_Index.php?dir=$1&file=$2 [L]
This 'rewrites' (serves the information from) Protecting_Index.php to the requested location 'silently'... Protecting_Index.php would then perform the necessary checks and if they are passed include the originally requested file, and if not, serve a standard 'must be logged in' page rather than the file.
What I ended up doing was not linking to the actual location at all, but rather using AJAX and posting requests through the login form so I don't need to worry about query_strings (they annoy me) and I don't have to expose my file system, because the AJAX POSTs variables to 'protecting_index.php', which includes the information based on the variables, not URL if the checks are passed.
The biggest change from what I suggested above is I decided to not change the page (URL) for each request made, but rather kept the URL static and changed the information served to that location.
