通过PHP中的会话进行用户身份验证,是否需要.htaccess?
[英]User authentication via sessions in PHP, is .htaccess necessary?
问题描述
I want to know if password protecting areas of a website using sessions in PHP also requires .htaccess, or not. 
我想知道使用PHP中的会话保护网站区域的密码是否也需要.htaccess。 I'm new to password protecting areas of a site so in spite of the days of research I have done on this, I'm still confused. 我是网站区域密码保护的新手,所以尽管我对此进行了很多研究,但我仍然感到困惑。
The billing company my client uses provides a script I place in a specific folder that allows them to write new and updated user information to the site's users mysql database. 我的客户使用的计费公司提供了一个脚本,我将其放在特定的文件夹中,该脚本可让他们将新的和更新的用户信息写入站点的用户mysql数据库。 I want to use my own login and logout pages, and I know HTTP authentication uses its own pop-up login box and offers no real way to log out...hence we're using the database to store user info. 我想使用自己的登录和注销页面,并且我知道HTTP身份验证使用其自己的弹出式登录框,并且没有真正的注销方法,因此我们正在使用数据库来存储用户信息。
So the bottom line is, do I need an .htaccess file in my protected folder if I'm authenticating via database and using sessions in PHP? 因此,最重要的是,如果我通过数据库进行身份验证并在PHP中使用会话,是否需要在受保护的文件夹中添加一个.htaccess文件?
Many thanks in advance! 提前谢谢了!
3 个解决方案
解决方案1
4 已采纳 2013-01-13 22:18:33
No you do not. 你不可以。 .htaccess files provide access to basic authentication. .htaccess文件提供对基本身份验证的访问。 What you're talking about would be handled by the web site scripts. 您正在谈论的内容将由网站脚本处理。 The big thing you need to remember is to always check on page load for a valid session and failing that redirect to a login page. 您需要记住的最重要的事情是,始终检查页面加载中是否存在有效的会话,并确保无法重定向到登录页面。
解决方案2
1 2013-01-13 22:27:12
If every file in the directory is implemented via PHP, then you have no need for htaccess. 如果目录中的每个文件都是通过PHP实现的,则无需htaccess。 However, if their are non-php files in the directory that need protected, those files will NOT be protected. 但是,如果它们是需要保护的目录中的非PHP文件,则这些文件将不受保护。 If you have a sales chart or something like that stored as an image on the file server, then those will be visible to anyone who can manage to find them. 如果您有销售图表或类似的图像作为图像存储在文件服务器上,则任何能够找到它们的人都将看到这些图表。
解决方案3
1 2013-01-13 23:02:02
See this article on REST based authentication (via Apache) : http://www.berenddeboer.net/rest/authentication.html 请参阅有关基于REST的身份验证的文章(通过Apache): http : //www.berenddeboer.net/rest/authentication.html
As you stated that you plan to implement your own authentication system using php session and i presume mysql, then you will not require a .htaccess file to accomplish this. 如您所述,您计划使用php session和我假设的mysql实现自己的身份验证系统,那么您将不需要.htaccess文件即可完成此操作。
As far as this goes via PHP I still make use of a now very heavily modified system that was contained in a sitepoint book build your own website the right way . 就通过PHP进行的操作而言,我仍然使用站点书中包含的现在进行了非常重大修改的系统, 以正确的方式构建自己的网站 。
It basically entails loading a set on controller functions that either relate to storing information within the session or checking that stored info against the database. 从根本上讲,这需要在控制器功能上加载一组功能,这些功能要么与在会话中存储信息有关,要么相对于数据库检查存储的信息。
I can then use things like this to restrict access to certain pages by placing it before everything else : 然后,我可以使用类似这样的方法,将其放置在其他所有内容之前来限制对某些页面的访问:
if (!userIsLoggedIn())
{
include "$docRoot/html/main/login.html.php";
exit();
}
if (!userHasRole('Site Admin'))
{
$error = 'Only a website administrator may access this page, your ip address has been logged and a notification sent to our support team as this is considered as an unauthorized access attempt.';
unset($_SESSION['loggedIn']);
include "$docRoot/html/main/accessdenied.html.php";
exit();
}
if (!userHasActiveAccount())
{
$error = 'Sorry but your account has been disabled. For futher information please contact support.';
unset($_SESSION['loggedIn']);
include "$docRoot/html/main/accessdenied.html.php";
exit();
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.