ferret147 Posted June 20, 2011 Share Posted June 20, 2011 I have been told that I can use mod_rewrite to deny folder access from a session variable but as of yet am unable to find any confirmed evidence of this. Basically this is what I am wanting to do; admin/ admin/files I have the admin folder protected with a login script and when members log in I want them to have access to the folder admin/files but if a visitor is not logged in then they will be denied access to admin/files/ my session variable is $admin_username So in the .htaccess I suppose I am looking for something like this - if (issset($_SESSION['admin_username'])) {/allow} else {/deny} well that is how I would do it in php but how can I achieve this with mod_rewrite ? All help appreciated, this one has been bugging me for some time now. Quote Link to comment Share on other sites More sharing options...
pastcow Posted June 20, 2011 Share Posted June 20, 2011 You might be able do do something along the lines of redirecting all requests via a PHP script. e.g. RewriteEngine On RewriteBase / RewriteRule . /protected.php [L] Then have the protected.php check for that session variable and if it exists use the readfile() function to fetch the file and return it to the user. Quote Link to comment Share on other sites More sharing options...
ferret147 Posted June 20, 2011 Author Share Posted June 20, 2011 I see what you are saying but my problem is a little more complex! lets say I have a file in site.com/admin/files/file.avi this would not stop a member copying that URL from the page it is embedded in, posting it up on a message board or sharing it with someone via email who does not have a user account on the site and them accessing the file hence the reason for only allowing browsers with that session set being allowed to access the file. Unless there is another way but I can not think of anything off hand Quote Link to comment Share on other sites More sharing options...
cags Posted June 20, 2011 Share Posted June 20, 2011 You can't access PHP session data from an .htacess file in that manner. You will have to actually serve the file using PHP as mentioned by pastcow. Assuming you redirect all requests via PHP then it wouldn't matter if somebody copy and pasted the path to the file as you would redirect the request to a php file that would check the session data before reading the requested file data in and returning it. Quote Link to comment Share on other sites More sharing options...
pastcow Posted June 20, 2011 Share Posted June 20, 2011 If you stick that mod rewrite rule in place even .AVI and .TXT requests will flow through the "protected.php" script which can do the checks. If someone pastes a link to the AVI they wont be able to download it unless the have a valid session identifier Quote Link to comment Share on other sites More sharing options...
ferret147 Posted June 20, 2011 Author Share Posted June 20, 2011 Right ok I think I understand now. Thank you for your help guys. Quote Link to comment Share on other sites More sharing options...
ferret147 Posted June 21, 2011 Author Share Posted June 21, 2011 Quick question! I have tried to use the readfile() and the fopen commands to fetch the files in the now protected folder with no luck! Any advice? What I done is setup a test folder and page; /index.php /protected/ /protected/.htaccess htaccess file is as suggested and works fine and redirects to index.php in the index.php file I have this; <?php $file = ''/protected/testimage.jpg'; ?> <p><img src="<?php fopen("$file", "r");?>" /></p> and the image does not show! any ideas as to how I should fetch the file? I was thinking of cURL but I have used this function in the past and it is very CPU heavy and this script is going to be servicing around 41,000 page views a day form the members. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.