need help protecting directorys without having a dual login system.

[Sade]

Here's the case:

I'm working on a new version of my website, this time with a php/mysql-login-system.
On my old site i use .htaccess to password protect certain directories.
In the new site i would like a similar sort of protection but i don't want two login systems side by side.
When thats the case, a user first needs to logon to the site and then when he/she reaches a protected part also needs to http_auth.
This causes confusion, and since i have this nice php login system now i would like to use that site-wide.

for most parts of the site i'm able to stop navigation to the protected parts, but somewone can still enter the url manually and thus get to the files.

So can someone help me with this?
ether a way to control .htaccess through php.
or another way to protect files and directorys in a way that logged in users can still reach them.


I don't realy know what information or code i should supply for better understanding, so i start by this:
-
The server is on my own machine(@home) running:
-
OS: gentoo
-
Server version: Apache/2.0.58
Server built:  Jul 31 2006 17:14:51
-
PHP 5.1.4-pl6-gentoo (cli) (built: Sep  6 2006 13:36:40)
Copyright (c) 1997-2006 The PHP Group
Zend Engine v2.1.0, Copyright (c) 1998-2006 Zend Technologies
-
mysql  Ver 14.7 Distrib 4.1.21, for pc-linux-gnu (i686) using readline 5.1

[craygo]

you can use sessions to verify a user when they get to web pages that way there userid is always available to run against the db to see if they have access to the particular page.

I use it to secure a database application I wrote. Keeps users away from certain forms.

Can throw you an example if needed.

Ray

[Sade]

people can still access the files if they use a direct url with that method.

for instance, when i have this upload section for a selection of users. I wan't them to be able to reach there files. I can't put a <?if ($_SESSION).....?> in the top of the file. So when somebody uses a direct url they can download the file.
i can protect this with a .htaccess, but then the user can't reach the file unless they know the .htaccess pass.

and for stuff like jinzora, i would like to protect the jinzora folder but i don't want to use the jinzora user system on top of my own.

[scottybwoy]

Hmm,  What I am trying to implement is built into my framework structure, that only has a few client executable scripts that then go off and include other scripts into the original script, depending on their autorisation level.  That way the user wouldn't even need to put in the .htaccess pass.  I think this is similar to what you want, but I'm going down the OOP route.

Structure -->
    |
    +-classes
    +-scripts
    +-templates
    +-libs
    +-httpd
    |    +-images
    |    +style.css
    |    +index.php

So all they have access to is index.php images and the style sheet, so index just includes another application backbone file that sorts out all the pages and templates all done behind closed doors based on the authentication you set.  Good Luck

[steveclondon]

Yes I agree with the above. If you have different levels of users you scripts can check what level they are before displaying a page.

[Sade]

but what do you do with a upload dir? the problem i mentioned above?
or with scripts you have little influence on like [url=http://www.jinzora.com]Jinzora[/url]?