tags:

views:

81

answers:

1
Q: 

deny direct access to a php file by typing the link in the url

hi, I am using php session for a basic login without encryption for my site. I want to prevent a user from directly accessing a php page by typing the url when he/she is not signed in. But this is not happening. I am using session_start(), initializing session variables and aslo unsetting and destroying sesssion during logout. Also if I type the link in a different browser the page is getting displayed. I am not very well versed with php , only a beginner. I googled for such problem and found few alternatives as keeping all files in a seperate folder from the web root, using .htaccess etc. Can someone explain in simple terms what could be a good solution.thanks in advance.

+3  A: 

There are lots of solutions, but basically you need to generate the page only if the session is valid. If not valid, shunt user to a non-access display. If you have this and it seems not to work, perhaps you should post some code.

See: http://www.astahost.com/info.php/simple-user-validation-script_t14857.html http://www.puremango.co.uk/2004/12/php_pass_81

Smandoli  2010-05-04 23:03:45
Does it mean I have to check for valid session at the beginning of every page?
aeonsleo  2010-05-04 23:11:43
Yes. But depending on your scheme, you may also check a session variable. So you might be validating the user's access, which is not the same as checking for the session validity. I'm not sure it's generally the practice to use session-is-valid as your criterion. An invalid session means certainly you'll block access, but a valid session might offer variables for your authorization.
Smandoli  2010-05-04 23:40:57
Sorry the above comment is not clear. I believe the links may be helpful, though!
Smandoli  2010-05-04 23:41:47
Make a session variable, $valid. Start it out as FALSE. When login succeeds, make it TRUE. Upon logout, FALSE. Use this as your criteria at top of every page. There are some security considerations in arranging this. But you will have a more flexible and robust solution than jsut shutting down the session.
Smandoli  2010-05-04 23:50:55
Thanks, that seems to be a nice and easy solution and sorry for the answering part, getting used to stackoverflow.
aeonsleo  2010-05-05 00:03:06
No problem, we all did that. Also, I've been in the same situation -- a PHP newbie needing a logon scheme, trying htaccess etc. Glad you got some help.
Smandoli  2010-05-05 00:35:19

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases