防止直接访问html文件，但允许通过PHP？

Question

I have a section of my website I would like to protect. I have created a php script to authenticate passwords and once authenticated, I would like them to be directed to an html page.

www.mywebsite.com/protectedfolder/index.html

I don't want users to take the above url, paste it into their browsers and have access to the page however. Do I have to add something my .htaccess file?

Answer 1

add this in .htaccess file in parent folder:

RewriteEngine On

RewriteBase /
RewriteRule ^protectedfolder/index\.html$ / [NC,R,L]
# OR THIS TO PROTECT ALL FOLDER
# RewriteRule ^protectedfolder / [NC,R,L]

or create .htaccess file in protected folder and write this:

Order Deny,Allow
Deny from all
Allow from 127.0.0.1

when php script runs and it accesses files it does from current user (not through http). so when trying to read file from protected folder using php's file_get_contents(), readfile(), fopen() and etc. apache's rules does not prevent php to make IO operations with file system.

and if we want output files from protected folder to authenticated users we have to run something like:

if(hasAccess()) {
    print readfile('path/to/protectedfolder/file.html');
}

Answer 2

I would use PHP and a form with password input that would provide a POST request to the server.

<form action="index2.php" method="POST">
    <input name="pass" type="password" />
</form>

Then in PHP

if (empty($_POST["pass"]) || $_POST["pass"] != "yourpasshere") {
    header("Location index1.html");
    die();
}
//your second page here

EDIT: You could also do this with sessions, where a user logins at a certain location, you give them a session name like $_SESSION["name"] = "admin"; and then check for that in a way similar to above with

session_start();
if (empty($_SESSION["name"])) {
    header("Location index1.html");
    die();
}
//your second page here