[英].htaccess: deny direct access to files in specific case
I have these files in my webroot: index.php (login page), login.class.php, styles.css and then a directory "accounts", in that directory there are some css files, index.php and formprocess.php 我在我的webroot中有这些文件:index.php(登录页面),login.class.php,styles.css然后是一个目录“accounts”,在该目录中有一些css文件,index.php和formprocess.php
So when a user visits site (index.php) he is asked to log in. If he enters correct username and password: he is redirected to accounts/index.php. 因此,当用户访问网站(index.php)时,系统会要求他登录。如果他输入正确的用户名和密码:他会被重定向到accounts / index.php。 If he enters wrong: he IP is blocked.
如果他输入错误:他的IP被阻止了。
But this login page can be bypassed by directly visiting accounts/index.php. 但是可以通过直接访问accounts / index.php来绕过此登录页面。 So I want to prevent that.
所以我想阻止它。
What I want is: A user should only have access to 'accounts' directory and its file if he has logged to the site. 我想要的是:用户只有在登录到网站时才能访问“accounts”目录及其文件。 Direct access should give 403 error.
直接访问应该给403错误。
Can anyone tell me how to do that using .htaccess or php? 谁能告诉我如何使用.htaccess或php?
Any help would be appreciated :) 任何帮助,将不胜感激 :)
Via PHP you could create a session, in the login process you can set certain value which is needed in order to open accounts/index.php
let's say value "banana" 通过PHP,您可以创建一个会话,在登录过程中,您可以设置一定的值,这是打开
accounts/index.php
所需的值accounts/index.php
让我们说值“香蕉”
Your index.php would have this code after authorization is complete: 授权完成后,您的index.php将拥有此代码:
$_SESSION['banana'] = "true";
And your accounts/index.php
then would look like this: 然后你的
accounts/index.php
看起来像这样:
if($_SESSION['banana'] == "true")
{ //authorization went correctly enter code here
}
else
{ //not authorized, return to index
header("location: ../index.php");}
oh, and don't forget the session_start();
哦,不要忘记
session_start();
in both pages. 在两个页面中。
I like old school tech. 我喜欢老学校的技术。 .htaccess still works for me, so let me provide an alternative solution vs the PHP one given above :)
.htaccess仍然适合我,所以让我提供一个替代解决方案vs上面给出的PHP :)
More info: create this .htaccess at your website root. 更多信息:在您的网站根目录创建此.htaccess。
# Protect the htaccess file
<Files .htaccess>
Order Allow,Deny
Deny from all
</Files>
# protect your files by extension
<Files *.php>
Order allow,deny
Deny from all
</Files>
# Deny access to sub directory
<Files accounts/*>
deny from all
</Files>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.