User authentication via sessions in PHP, is .htaccess necessary?
Question
I want to know if password protecting areas of a website using sessions in PHP also requires .htaccess, or not. I'm new to password protecting areas of a site so in spite of the days of research I have done on this, I'm still confused.
The billing company my client uses provides a script I place in a specific folder that allows them to write new and updated user information to the site's users mysql database. I want to use my own login and logout pages, and I know HTTP authentication uses its own pop-up login box and offers no real way to log out...hence we're using the database to store user info.
So the bottom line is, do I need an .htaccess file in my protected folder if I'm authenticating via database and using sessions in PHP?
Many thanks in advance!
3 answers
solution1
4 ACCPTED 2013-01-13 22:18:33
No you do not. .htaccess files provide access to basic authentication. What you're talking about would be handled by the web site scripts. The big thing you need to remember is to always check on page load for a valid session and failing that redirect to a login page.
solution2
1 2013-01-13 22:27:12
If every file in the directory is implemented via PHP, then you have no need for htaccess. However, if their are non-php files in the directory that need protected, those files will NOT be protected. If you have a sales chart or something like that stored as an image on the file server, then those will be visible to anyone who can manage to find them.
solution3
1 2013-01-13 23:02:02
See this article on REST based authentication (via Apache) : http://www.berenddeboer.net/rest/authentication.html
As you stated that you plan to implement your own authentication system using php session and i presume mysql, then you will not require a .htaccess file to accomplish this.
As far as this goes via PHP I still make use of a now very heavily modified system that was contained in a sitepoint book build your own website the right way .
It basically entails loading a set on controller functions that either relate to storing information within the session or checking that stored info against the database.
I can then use things like this to restrict access to certain pages by placing it before everything else :
if (!userIsLoggedIn())
{
include "$docRoot/html/main/login.html.php";
exit();
}
if (!userHasRole('Site Admin'))
{
$error = 'Only a website administrator may access this page, your ip address has been logged and a notification sent to our support team as this is considered as an unauthorized access attempt.';
unset($_SESSION['loggedIn']);
include "$docRoot/html/main/accessdenied.html.php";
exit();
}
if (!userHasActiveAccount())
{
$error = 'Sorry but your account has been disabled. For futher information please contact support.';
unset($_SESSION['loggedIn']);
include "$docRoot/html/main/accessdenied.html.php";
exit();
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.