Tutorial :.htaccess and sessions for security?



Question:

In my application users have their own "websites" which can be reached if they are signed in.

However, since these websites are just directories containing html and other documents everyone in the world can reach them if they know the address. I can't have that :) A user should be able to decide whether or not thw world might see their files or not.

Can I use .htaccess to activate a PHP-script every time a request is made to that directory?

I.e. if reqested-site is "/websites/{identifier}", run is-user-allowed-to-view.php?website={identifier}

The identifier is a numeric value which refers to both a physical folder and a post in the database... and the script would then return true or false.

Or is there perhaps another way of solving the same issue?

Cheers!


Solution:1

You can use mod_rewrite to rewrite requests with such a URL internally to your script:

RewriteEngine on  RewriteRule ^website/([0-9]+)$ is-user-allowed-to-view.php?website=$1  

But this rule is only for the URL path /website/12345 and nothing else.


Solution:2

Or have every page as a PHP page and just put at the top a single line to redirect if the session / cookie is incorrect or not set. Obviously wouldn't work for non-PHP content such as images.


Solution:3

What you need is a proper front-end (written in whatever language). You need to have your web-server (Apache in your case it seems) pass the requests to the said front-end.

You cannot do what you are asking for with just .htaccess files.


Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Previous
Next Post »