Apache目录列表,并防止用户在不登录PHP表单的情况下访问文件
[英]Apache directory listing and prevent users from accessing files without login to PHP form
问题描述
So this question has been asked but in the other questions the users want to prevent apache from listing a directory. 
因此,已经提出了这个问题,但在其他问题中,用户希望阻止apache列出目录。 Basically I have a website that has a login to a file exchange system, if the user is logged in then he can get access to content that is uploaded by other users. 基本上,我有一个登录文件交换系统的网站,如果用户已登录,则他可以访问其他用户上传的内容。 Here is how I prevent users from accessing certain parts of my site 这是防止用户访问网站某些部分的方法
function loggedin()
{
if (isset($_SESSION['myusername']) || isset($_COOKIE['myusername']))
{
return true;
}
else {
return false;
}
}
I use this code to show all directories in my uploads folder: 我使用以下代码显示我的上载文件夹中的所有目录:
<?php
$dir = "./uploads";
$list = scandir($dir); /* This function sorts dirs */
$list = array_diff($list,array(".","..","index.php"));
echo "<ol>";
foreach ($list as $file)
{
if (!is_dir($file)) echo "<li><a href='https://rye-high.ca/Rye High/$dir/$file'>$file</a></li>\n";
}
echo "</ol>";
?>
NOW for sheer simplicity I allow apache to list the directories using Options Indexes FollowSymLinks because I like how apache does it automatically and prevents me from coding something that might break in php. 现在,为了简单起见,我允许apache使用Options Indexes FollowSymLinks列出目录,因为我喜欢apache的自动执行方式,并防止我编写可能会破坏php的代码。
My Question: Users that know the filename/folder name can access the files (and directory) directly without logging into the system (ie mysite.ca/Rye High/uploads/ACC 100/. I would like to prevent this by still keeping Option Indexes turned on so that apache can list the files to users who are actually logged in. 我的问题:知道文件名/文件夹名称的用户可以直接访问文件(和目录),而无需登录系统(即mysite.ca/Rye High / uploads / ACC 100 /。)我想通过保留Option来防止这种情况索引已打开,以便apache可以将文件列出给实际登录的用户。
How can it be done? 如何做呢? .htaccess file? .htaccess文件?
I considered editing the default apache template code for listing directories however I may not want this for other virtual hosts (globally) in the future. 我考虑过编辑用于列出目录的默认apache模板代码,但是将来我可能不希望将其用于其他虚拟主机(全局)。
1 个解决方案
解决方案1
0 已采纳 2014-02-09 19:03:34
You can use apache's Basic Auth module ( http://linuxzoo.net/page/tut_authapache.html ) and further you can generate .htpasswd files using PHP - http://www.htaccesstools.com/articles/create-password-for-htpasswd-file-using-php/ . 您可以使用Apache的基本身份验证模块( http://linuxzoo.net/page/tut_authapache.html ),并且还可以使用生成htpasswd文件PHP - http://www.htaccesstools.com/articles/create-password-for -htpasswd-file-using-php / 。
A good way is to use something like php file manager: 一个好的方法是使用类似php文件管理器的方法:
- https://github.com/adrian7/phpfilebrowser https://github.com/adrian7/phpfilebrowser
- http://phpfm.sourceforge.net/ http://phpfm.sourceforge.net/
- http://encode-explorer.siineiolekala.net/ http://encode-explorer.siineiolekala.net/
Or you could set a cookie after the user successfully signs in, and then check the cookie in a htaccess: https://stackoverflow.com/questions/19382160/htaccess-compare-cookie-value-and-redirect-if-evaluation-returns-true-false . 或者,您可以在用户成功登录后设置一个cookie,然后在htaccess中检查该cookie: https : //stackoverflow.com/questions/19382160/htaccess-compare-cookie-value-and-redirect-if-evaluation-返回true-false 。 The issue with this, is that somebody who knows the cookie value will be able to browse your files without signing in in the first place. 这样做的问题是,知道cookie值的人将能够浏览您的文件而无需先登录。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.