http file access and php sessions

Question

If a site has php session\'s in place to enforce authentication/authorization to pages on the site which are implemented in php, how does the same logic enforce access to ce

Answer 1

You can try HTTP Authentication with PHP. This article might help.

Answer 2

A couple answers:

1) make your php sessions use HTTP authentication. Then you can use a .htaccess file to control file access in directories

2) Use mod_rewrite to redirect all requests to a "front controller". Let the front controller manage whether access is allowed, denied, or forwarded to a different controller module for further processing.

Answer 3

Since PHP won't be invoked when the user requests a non-PHP file, you can't have Apache enforce PHP's access protection. You can make a very coarse and easy-to-fake check in Apache to make sure that a session ID cookie is present, but that's highly insecure. It just checks if the cookie's there, not that it represents a valid session or that the user's actually been granted access.

This other answer might help. Using PHP/Apache to restrict access to static files (html, css, img, etc). Basically, you serve up all the protected content via a PHP script, instead of providing direct access.