限制用户访问目录
[英]Restrict access to directory for users
问题描述
I'm coding a small website with login for members. 
我正在为一个小型网站编写会员登录名。 Every member have a dedicated folder and I'd like to know how to deny all access to this folder from everyone except form the user when he's logged in. 每个成员都有一个专用文件夹,我想知道如何拒绝所有人以外的所有对该文件夹的访问,除了用户登录时形成的形式。
For now, I've set up things like that: 现在,我已经设置了类似的东西:
1) Every folder have an .htaccess with deny from all 1)每个文件夹都有一个.htaccess,所有文件夹都deny from all
2) When a user logged in, I use PHP to identify the user and get his folder. 2)当用户登录时,我使用PHP识别用户并获取他的文件夹。 I get the user's IP address and I edit the .htaccess with 我获得了用户的IP地址,并使用
order deny,allow deny from all allow from 178.197.XXX.XXX
3) Once the user logged out, I reset the .htaccess to deny from all again 3)用户注销后,我将.htaccess重置为再次deny from all
Is there a better way? 有没有更好的办法? And is there security risks? 还有安全隐患吗?
1 个解决方案
解决方案1
1 已采纳 2017-06-14 15:35:15
Don't use IP. 不要使用IP。 One user is not equal to one IP. 一个用户不等于一个IP。
Store the folders outside the document root of your web server. 将文件夹存储在Web服务器的文档根目录之外。 This way, the files can never be served directly by the web server itself. 这样,文件就永远不会直接由Web服务器本身提供。
Ie, do not serve the files directly like http://my.site.com/path/to/actual/file . 即,不要像http://my.site.com/path/to/actual/file那样直接提供文件。 Instead require that the file be requested through a proxy PHP script like http://my.site.com/getfile.php?file=name . 而是要求通过代理PHP脚本(例如http://my.site.com/getfile.php?file=name请求文件。 The script would check that a user is logged in, check that a file named name exists in that user's directory, and then spew it with readfile() or similar. 该脚本将检查用户是否已登录,检查该用户目录中是否存在名为name的文件,然后使用readfile()或类似文件将其喷出。
Also, in general, your files should never be writable by the user that the web server process runs as -- especially your .htaccess files. 同样,通常,Web服务器进程运行的用户绝对不能写文件- 尤其是 .htaccess文件。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.