.htaccess: deny direct access to files in specific case

Question

I have these files in my webroot: index.php (login page), login.class.php, styles.css and then a directory "accounts", in that directory there are some css files, index.php and formprocess.php

So when a user visits site (index.php) he is asked to log in. If he enters correct username and password: he is redirected to accounts/index.php. If he enters wrong: he IP is blocked.

But this login page can be bypassed by directly visiting accounts/index.php. So I want to prevent that.

What I want is: A user should only have access to 'accounts' directory and its file if he has logged to the site. Direct access should give 403 error.

Can anyone tell me how to do that using .htaccess or php?

Any help would be appreciated :)

Answer 1

Via PHP you could create a session, in the login process you can set certain value which is needed in order to open accounts/index.php let's say value "banana"

Your index.php would have this code after authorization is complete:

$_SESSION['banana'] = "true";

And your accounts/index.php then would look like this:

if($_SESSION['banana'] == "true")
{ //authorization went correctly enter code here
}
else
{ //not authorized, return to index
header("location: ../index.php");}

oh, and don't forget the session_start(); in both pages.

Answer 2

I like old school tech. .htaccess still works for me, so let me provide an alternative solution vs the PHP one given above :)

More info: create this .htaccess at your website root.

# Protect the htaccess file
<Files .htaccess>
Order Allow,Deny
Deny from all
</Files>

# protect your files by extension
<Files *.php>
Order allow,deny
Deny from all
</Files>

# Deny access to sub directory
<Files accounts/*>
    deny from all
</Files>