问题
I asked this question before here but user CheekySoft pointed out that I was "asking how to implement my proposed solution" where instead I should just "state my problem and ask for solution ideas". So here goes.
On the linux server I have the files set up like so
/home
├── user1
│ ├── [-rwx------] index.html
│ └── [-rwx------] index.php
└── user2
├── [-rwx------] index.html
└── [-rwx------] index.php
If I have Apache virtual hosts set up at
<Directory /home/user1>`
<Directory /home/user2>
Then [any] user can go to www.example.com/user1/index.html or www.example.com/user2/index.html. However, the permissions on those files are 0700, therefore, they are inaccessible over the web. It is for this reason that I am using suPHP.
For the sake of argument, lets say index.php has only the following in it
index.php:
<?php
echo file_get_contents('index.html');
exit();
?>
Now, with suPHP set up, user1 can go to www.example.com/user1/index.php to view index.html. Likewise, user2 can go to www.example.com/user2/index.php to view index.html. However, user1 can also go to www.example.com/user2/index.php to view user2's index.html page, and vice versa for user2.
The natural way to deal with this is through PHP sessions. All requests to a page are redirected to a main page (ie. www.facebook.com), the user is validated against the database, and then redirected to the correct page (see image below).
The users would go to a page (ie. www.example.com/page1.html), and then there would be a portion of page 1 hard coded to ensure a valid session exists. If it exists, the page is loaded. If it does not exist, the user is redirected to, in this case, index.html. After they login and a valid session is established, they are redirected back to the original page. We can modify index.php to carry this out:
indexValidate.php:
<?php
//this is purely pseudo code, I can't guarantee it will work
session_start();
require_once 'Session_Validator.php';
$sv = new Session_Validator();
$sv->validate($un, $pwd);
echo file_get_contents('index.html');
exit();
?>
However, In my design, these pages (page1.html, page2.html...) are in the users own directory (index.html, index.php), therefore, the server can't demand that they have this hard coded section checking for a valid section. The user can simply edit the file to remove out this section. Of course this would be stupid on the user's part, but I don't want the user to have to modify every single one of their files to have a session check section at the top. I want this to be seamless.
A few notes:
- I can use Apache to redirect all requests to a single
validateUser.phpscript which, validates the user then, if valid, calls the original script requested. However, this has the side effect that suPHP has now already switched to a user, most likelyvar-www - I do not want to use Apache web login authentication
Can anyone provide a solution to my problem?
回答1:
How about creating an apache rewrite rule for all the users and create one single PHP wrapper for all the HTML pages
The RewriteRule could be something like:
RewriteCond %{REQUEST_URI} !^/auth
RewriteRule ^(.*) /auth/wrapper.php?uri=$1
And in wrapper.php:
- Check if user is validated. If not, redirect to
/auth/validate.php?redirect=<where-I-came-from> If validated, load the file mentioned in
uri=<...>echo file_get_contents('<...>');
EDIT: You can create symbolic links to the wrapper.php and then set the permissions on the symbolic link to the user. you could do this in the auth folder:
ln -s wrapper.php username1.php
chown -h username1:username1 username1.php
Then you wil get a folder like this:
-r--r--r--. 1 var-www var-www 15 march 3 12:45 wrapper.php
lrwxrwxrwx. 1 username1 username1 17 march 3 12:47 username1.php -> wrapper.php
lrwxrwxrwx. 1 username2 username2 17 march 3 12:52 username2.php -> wrapper.php
lrwxrwxrwx. 1 username3 username3 17 march 3 12:52 username3.php -> wrapper.php
Please note: The user must be able to read the auth directory To make it even more secure you can put the wrapper.php in a separate directory.
来源:https://stackoverflow.com/questions/9542263/need-help-implementing-php-sessions-in-suphp