Posted by Jerry Stuckle on 08/25/07 15:27

salmobytes wrote:
> On Aug 23, 11:08 am, rogerjam...@googlemail.com wrote:
>> How would I go about protecting a whole directory, e.g.http://www.example.com/members/and all sub-directories with login
>> protection? I wouldn't like to put a .php script in each directory and
>> I'd like to protect all file-types
>
> I didn't read the whole thread in detail, but I glanced at every
> post. I (think) I have a way to do this that didn't yet come up.
> How secure the protection needs to be is important.
> If you're talking about financial transactions
> or trade secrets, then perhaps my method isn't such a good idea.
> I sell digital information. So If I do get hacked the only thing
> I lost was a transaction that never would have happened legitimately
> anyway.
>
> I sell subscriptions to how-to-do-it boat building instructions.
> I make every file underneath some directory point a .php file, even
> though it's largely static html.
>
> At the top of each such file (they are all machine genertated, from
> mysql tables) I put a few lines of code that looks for a $_SESSION
> variable. If that session variable is not set to the right value,
> I redirect the page to a login screen. The session variable that
> serves
> as the key to the secure area only gets set if the user passes a
> password test in the login screen. My customers frequently complain
> how inconvenient it is........that they can't bookmark the pages.
> So this system seems to work just fine for me. .htaccess and mod-
> rewrite
> don't play a role.
>

That works fine for html/php files. But it doesn't work for images,
pdf's, etc.

And the original op indicated he didn't want to put a PHP file in every
directory, and wanted to protect all file types.

When the "all file type" requirement comes up and the customer doesn't
wish to use http authentication, I use a combination of .htaccess and
PHP. When someone request access to a protected file, Apache redirects
to a PHP script which checks the credentials. If they are logged in, it
retrieves the file (from a directory outside the webserver's document
root directory, applies the appropriate content-type header and delivers
it. If they aren't logged in yet, I present the login screen, and after
logging in, they are presented with the file.

They can also bookmark these pages.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

[Back to original message]