deny folder permission

[ferret147]

I have been told that I can use mod_rewrite to deny folder access from a session variable but as of yet am unable to find any confirmed evidence of this.  Basically this is what I am wanting to do;

 

admin/

admin/files

 

I have the admin folder protected with a login script and when members log in I want them to have access to the folder admin/files but if a visitor is not logged in then they will be denied access to admin/files/

 

my session variable is $admin_username

 

So in the .htaccess I suppose I am looking for something like this -  if (issset($_SESSION['admin_username'])) {/allow} else {/deny} well that is how I would do it in php but how can I achieve this with mod_rewrite ?

 

All help appreciated, this one has been bugging me for some time now.

[pastcow]

You might be able do do something along the lines of redirecting all requests via a PHP script. e.g.

 

                        RewriteEngine On

                        RewriteBase /

                        RewriteRule . /protected.php [L]

 

Then have the protected.php check for that session variable and if it exists use the readfile() function to fetch the file and return it to the user.

 

[ferret147]

I see what you are saying but my problem is a little more complex!

 

lets say I have a file in site.com/admin/files/file.avi this would not stop a member copying that URL from the page it is embedded in, posting it up on a message board or sharing it with someone via email who does not have a user account on the site and them accessing the file hence the reason for only allowing browsers with that session set being allowed to access the file.

 

Unless there is another way but I can not think of anything off hand

[cags]

You can't access PHP session data from an .htacess file in that manner. You will have to actually serve the file using PHP as mentioned by pastcow. Assuming you redirect all requests via PHP then it wouldn't matter if somebody copy and pasted the path to the file as you would redirect the request to a php file that would check the session data before reading the requested file data in and returning it.

[pastcow]

If you stick that mod rewrite rule in place even .AVI and .TXT requests will flow through the "protected.php" script which can do the checks. If someone pastes a link to the AVI they wont be able to download it unless the have a valid session identifier

[ferret147]

Right ok I think I understand now.

 

Thank you for your help guys.

[ferret147]

Quick question! I have tried to use the readfile() and the fopen commands to fetch the files in the now protected folder with no luck!

 

Any advice?

 

What I done is setup a test folder and page;

 

/index.php

/protected/

/protected/.htaccess

 

htaccess file is as suggested and works fine and redirects to index.php

 

in the index.php file I have this;

 

 

 

 

<?php $file = ''/protected/testimage.jpg'; ?>

<p><img src="<?php fopen("$file", "r");?>"  /></p>

 

 

and the image does not show! any ideas as to how I should fetch the file? I was thinking of cURL but I have used this function in the past and it is very CPU heavy and this script is going to be servicing around 41,000 page views a day form the members.