堆栈内存溢出
  简体   繁体   English

.htaccess:拒绝在特定情况下直接访问文件

[英].htaccess: deny direct access to files in specific case

 原文  2014-08-13 05:33:39       php/ .htaccess

问题描述

I have these files in my webroot: index.php (login page), login.class.php, styles.css and then a directory "accounts", in that directory there are some css files, index.php and formprocess.php 我在我的webroot中有这些文件:index.php(登录页面),login.class.php,styles.css然后是一个目录“accounts”,在该目录中有一些css文件,index.php和formprocess.php

So when a user visits site (index.php) he is asked to log in. If he enters correct username and password: he is redirected to accounts/index.php. 因此,当用户访问网站(index.php)时,系统会要求他登录。如果他输入正确的用户名和密码:他会被重定向到accounts / index.php。 If he enters wrong: he IP is blocked. 如果他输入错误:他的IP被阻止了。

But this login page can be bypassed by directly visiting accounts/index.php. 但是可以通过直接访问accounts / index.php来绕过此登录页面。 So I want to prevent that. 所以我想阻止它。

What I want is: A user should only have access to 'accounts' directory and its file if he has logged to the site. 我想要的是:用户只有在登录到网站时才能访问“accounts”目录及其文件。 Direct access should give 403 error. 直接访问应该给403错误。

Can anyone tell me how to do that using .htaccess or php? 谁能告诉我如何使用.htaccess或php?

Any help would be appreciated :) 任何帮助,将不胜感激 :)

2 个解决方案

解决方案1
 1  2014-08-13 05:50:10

Via PHP you could create a session, in the login process you can set certain value which is needed in order to open accounts/index.php let's say value "banana" 通过PHP,您可以创建一个会话,在登录过程中,您可以设置一定的值,这是打开accounts/index.php所需的值accounts/index.php让我们说值“香蕉”

Your index.php would have this code after authorization is complete: 授权完成后,您的index.php将拥有此代码: 

$_SESSION['banana'] = "true";

And your accounts/index.php then would look like this: 然后你的accounts/index.php看起来像这样: 

if($_SESSION['banana'] == "true")
{ //authorization went correctly enter code here
}
else
{ //not authorized, return to index
header("location: ../index.php");}

oh, and don't forget the session_start(); 哦,不要忘记session_start(); in both pages. 在两个页面中。

解决方案2
 1  2014-08-13 06:48:15

I like old school tech. 我喜欢老学校的技术。 .htaccess still works for me, so let me provide an alternative solution vs the PHP one given above :) .htaccess仍然适合我,所以让我提供一个替代解决方案vs上面给出的PHP :)

More info: create this .htaccess at your website root. 更多信息:在您的网站根目录创建此.htaccess。 

# Protect the htaccess file
<Files .htaccess>
Order Allow,Deny
Deny from all
</Files>

# protect your files by extension
<Files *.php>
Order allow,deny
Deny from all
</Files>

# Deny access to sub directory
<Files accounts/*>
    deny from all
</Files>

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 拒绝使用htaccess直接访问文件 - Deny direct access to files using htaccess 拒绝直接访问文件夹中的文件 - Deny direct access to files in folder 拒绝通过htaccess直接访问文件夹和文件 - deny direct access to a folder and file by htaccess .htaccess拒绝访问特定文件? 超过一个 - .htaccess deny access to specific files? more than one 拒绝访问htaccess中的多个文件 - Deny access to multiple files in htaccess 如何拒绝直接访问AJAX目录中的文件 - How to deny direct access to files in AJAX directory 修改.htaccess以拒绝访问文件夹,但是仅允许使用ajax从我的站点访问特定文件 - Modify .htaccess to deny access into folder, but allow access only from my site using ajax to specific files htaccess不会拒绝PHP对文件的访问 - htaccess doesn't deny PHP access to files 使用htaccess拒绝通过浏览器访问目录文件 - Deny access to directory files via browser with htaccess .htaccess拒绝仅访问PHP文件 - .htaccess deny access to just PHP files
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM