PHP限制对网页的访问
[英]PHP Restricting Access to web pages
问题描述
I have several folders within my web server. 
我的网络服务器中有几个文件夹。 Each folder contains php / html files. 每个文件夹包含php / html文件。 In total there is around 40 files. 总共大约有40个文件。
Using php I can determine the identity of the user who is currently logged in. 使用php,我可以确定当前登录用户的身份。
Is it possible to allow users to only access specific pages, based on who they are logged in as ? 是否可以允许用户仅根据登录用户的身份访问特定页面?
I was wondering if .htaccess would allow this ? 我想知道.htaccess是否允许? Or if there is a better way ? 还是有更好的方法?
I don't really want to start having to create a user / password authentication script. 我真的不想开始创建用户/密码身份验证脚本。
Thanks 谢谢
3 个解决方案
解决方案1
4 已采纳 2014-10-13 16:12:29
Using sessions, you can create user levels and restrict access to various areas by assigning user levels to SESSION variables. 使用会话,您可以通过将用户级别分配给SESSION变量来创建用户级别并限制对各个区域的访问。 Presumably, since, quote Using php I can determine the identity of the user who is currently logged in. , you have the ability to set up session variables. 大概是因为Using php I can determine the identity of the user who is currently logged in.引用了Using php I can determine the identity of the user who is currently logged in.您可以设置会话变量。 I believe this is known as role based access control - In it's very simplest form 我认为这被称为基于角色的访问控制-以最简单的形式
if ($_SESSION['user_level'] == "Administrator") {
# do something
}
解决方案2
1 2014-10-13 16:13:01
You could do something like this in your .htaccess: 您可以在.htaccess中执行以下操作:
RewriteEngine On
RewriteBase /
RewriteRule ^(.+?\.php)$ index.php?p=$1 [L,QSA,NC]
This will redirect all users trying to view a PHP page to index.php?p=someurl.php 这会将尝试查看PHP页面的所有用户重定向到index.php?p=someurl.php
Then in your index.php you can determine if the user has permission to view to file and if they do serve it, if not deny it. 然后,在index.php中,您可以确定用户是否有权查看文件以及是否确实提供文件(如果未拒绝)。
if ( authorized() ) {
// show file
} else {
die("Not Authorized to Access this File.");
}
解决方案3
0 2014-10-13 16:44:06
You can't directly access SESSION s from .htaccess rules, but you can try a workaround if you're not willing to code. 您无法直接从.htaccess规则访问SESSION ,但是如果您不愿意编码,则可以尝试解决方法。
Inside your authorizing code section, in the last lines after creating session, add a touch() to create a file name of current user session id: 在授权代码部分的内部,在创建会话后的最后几行中,添加touch()以创建当前用户会话ID的文件名:
touch("./folder/logged/PHPSESSID_".session_id());
Then within your .htaccess file try to validate if current PHPSESSID related file is created before: 然后在您的.htaccess文件中尝试验证是否在之前创建了当前与PHPSESSID相关的文件:
RewriteCond %{HTTP_COOKIE} PHPSESSID=(\w+)
RewriteCond %{DOCUMENT_ROOT}/folder/logged/PHPSESSID_%1 -f
RewriteRule ^(.*)$ $1
RewriteRule .* /users/login [L]
* Also note that you should create a simple script to check if created files are valid anymore, if not then remove them. *还请注意,您应该创建一个简单的脚本来检查创建的文件是否有效,如果无效,则将其删除。
* It's just an idea! *这只是一个主意!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.