防止直接访问URL

Question

I have a website and all the connectivity (with the database and other) are in a folder. Although there is a session on the restricted pages to prevent not logged users, these files may be reached if typed the full url(even if the php does show anything i guess its not a good thing). And the folder itself can be seen like a directory on the server, which is very bad.

www.mysite.com/connectionfolder

How can I deal with this problem? thanks!

Answer 1

Apache: Add the line below in your root .htaccess file

Options -Indexes

If there is a line Options Indexes already in existing .htaccess file than you can simply modify it with Options -Indexes

This will have Apache preventing direct directory access.

Answer 2

If you use Apache put a .htaccess file in your root web directory if one is not already there. Then put this in the file:

Options -Indexes 

More info: https://httpd.apache.org/docs/current/mod/core.html#options

Answer 3

You can also redirect the user away from the "secure" pages

<?php
//...Valid user check
if(!$validuser)
{
    header("Location: /");
    exit;
}

Answer 4

<?php header("Status: 404 Not Found"); ?>

Put this after session verification, the page with give 404 page error saying page not found

For example you can put it in

if(!$user_loggedin) {
header("Status: 404 Not Found");
} else {

echo "welcome to your page ....";


}

The above code will generate PAGE NOT FOUND ERROR if the user is not loged in. Which means, anyone seeying that error will thik the page does not exist at all