Require login form

[Janus13]

I have a login form that redirects to a secure folder on successful login, but I was thinking tonight that someone could bypass it by going directly to the protected folder and logging in (I use both mysql db and .htaccess security) and I wonder if it is possible using mod_rewrite to redirect to the login page if the user isn't logged in, and allow the user through if they are using session variables. Can apache read php session variables? And can the mod_rewrite engine act upon them? I don't want to require the index page of the protected folder by a php page if possible.

Thanks again

Jon

[Janus13]

Has anyone seen an example, or know how to do what I'm describing above, or does it even make sense?

[redarrow]

YEP i uderstand


you got to put a copy of your index.php page in the folder ok.


ps. any one goes in that folder gets your main page.

or add this

index.php // plonk in the folder ok.
[code]
<?

header("location: index.php/")

?>
[/code]

[meckr]

this is just a test (mod feel free to delete)

[Janus13]

That defeats the purpose of my question. I know how to do that, but I want to know if it's possible to make .htaccess rules with mod_rewrite read php variables so force a login page to display if the user hasn't previously logged in. I don't want to have to require the directory have a php as the index page.

[redarrow]

Options +FollowSymlinks
RewriteEngine on
RewriteRule ^(.*)\.htm$ $1.php [nc]

[a href=\"http://corz.org/serv/tricks/htaccess2.php\" target=\"_blank\"]http://corz.org/serv/tricks/htaccess2.php[/a]

[Janus13]

Thanks for the reply. What does the last rule translate to? And how does it keep up with the php variable showing it that it's logged on?

[redarrow]

[!--quoteo(post=386240:date=Jun 21 2006, 02:12 AM:name=Janus13)--][div class=\'quotetop\']QUOTE(Janus13 @ Jun 21 2006, 02:12 AM) [snapback]386240[/snapback][/div][div class=\'quotemain\'][!--quotec--]
Thanks for the reply. What does the last rule translate to? And how does it keep up with the php variable showing it that it's logged on?
[/quote]
Handy for anyone updating a site from static htm (you could use .html, or .htm(.*), .htm?, etc) to dynamic php pages; requests to the old pages are automatically rewritten to our new urls. no one notices a thing, visitors and search engines can access your content either way. leave the rule in; as an added bonus, this enables us to easily split php code and its included html structures into two separate files, a nice idea; makes editing and updating a breeze. The [nc] part at the end means "No Case", or "case-insensitive", but we'll get to the switches later.

Folks can link to whatever.htm or whatever.php, but they always get whatever.php in their browser, and this works even if whatever.htm doesn't exist! but I'm straying..

As it stands, it's a bit tricky; folks will still have whatever.htm in their browser address bar, and will still keep bookmarking your old .htm URL's. Search engines, too, will keep on indexing your links as .htm, some have even argued that serving up the same content from two different places could have you penalized by the search engines. This may or not bother you, but if it does, mod_rewrite can do some more magic..


[!--sizeo:4--][span style=\"font-size:14pt;line-height:100%\"][!--/sizeo--]read the link ok good luck[!--sizec--][/span][!--/sizec--]

[Janus13]

Oh I see. I understand what you are saying, although it doesn't do exactly what I want. Perhaps there is more magic that mod_rewrite can do that may do what I want. Ultimately I want to have someone go to a page under a protected page, and if they have bypassed the login page have it prompt them to login at the login page. The catch is that not all pages are PHP, some are pure html, but are secured under a passwd/.htaccess protected folder that you can go directly to and bypass all webpages. Is there a way for .htaccess/mod_rewrite to redirect back to a specific page if that page has not authenticated the user?

For example. I have a folder protected with a .htaccess rule pointing to a passwd file somewhere outside the htdocs directory. I have a login.php that processes a DB login then passes to the .htaccess folder. Someone could circimvent the login page and try to directly login via the protected directory and use just the .htaccess authentication. I want to check to see if they have some sort of variable set (like a session variable) that says they are logged in correctly, if not then force them back to the login.php page.

Is that possible with mod_rewrite?

[redarrow]

[!--quoteo(post=386271:date=Jun 21 2006, 03:58 AM:name=Janus13)--][div class=\'quotetop\']QUOTE(Janus13 @ Jun 21 2006, 03:58 AM) [snapback]386271[/snapback][/div][div class=\'quotemain\'][!--quotec--]
Oh I see. I understand what you are saying, although it doesn't do exactly what I want. Perhaps there is more magic that mod_rewrite can do that may do what I want. Ultimately I want to have someone go to a page under a protected page, and if they have bypassed the login page have it prompt them to login at the login page. The catch is that not all pages are PHP, some are pure html, but are secured under a passwd/.htaccess protected folder that you can go directly to and bypass all webpages. Is there a way for .htaccess/mod_rewrite to redirect back to a specific page if that page has not authenticated the user?

For example. I have a folder protected with a .htaccess rule pointing to a passwd file somewhere outside the htdocs directory. I have a login.php that processes a DB login then passes to the .htaccess folder. Someone could circimvent the login page and try to directly login via the protected directory and use just the .htaccess authentication. I want to check to see if they have some sort of variable set (like a session variable) that says they are logged in correctly, if not then force them back to the login.php page.

Is that possible with mod_rewrite?
[/quote]
i just read about mod_rewrite you got to put the session id within the url

i dont think its possable to get mod_rewrite to see if the user is a registred user and then if not redirect them to a page sorry.