How to protect a directory ?

[cmartins]

Hello

I'm using a PHP module for authentication (authentication against a MySQL Database).

However the authentication only protect a single page and I'd like to protect the hole directory !!

How can I do that ???

Below the code I've used.

-----------------------------------------------------------

<?php

$auth = false; // Assume user is not authenticated

if (isset( $PHP_AUTH_USER ) && isset($PHP_AUTH_PW)) {

// Connect to MySQL

mysql_connect( 'hostname', 'username', 'password' )
or die ( 'Unable to connect to server.' );

// Select database on MySQL server

mysql_select_db( 'your_db' )
or die ( 'Unable to select database.' );

// Formulate the query

$sql = &quot;SELECT * FROM users WHERE
username = '$PHP_AUTH_USER' AND
password = '$PHP_AUTH_PW'&quot;;

// Execute the query and put results in $result

$result = mysql_query( $sql )
or die ( 'Unable to execute query.' );

// Get number of rows in $result.

$num = mysql_numrows( $result );

if ( $num != 0 ) {

// A matching row was found - the user is authenticated.

$auth = true;

}

}

if ( ! $auth ) {

header( '

http://WWW-Authenticate:

Basic realm=&quot;Private&quot;' );
header( 'HTTP/1.0 401 Unauthorized' );
echo 'Authorization Required.';
exit;

} else {

echo '<P>You are authorized!</P>';
MAIN PAGE

}

?>

----------------------------------------------------------

 

[devnull22]

You can't really protect the entire directory using php.
However, you could use the &quot;.htaccess&quot; method.
If you really want to use php.
why not use sessions. The only downside is that on every page, you'll need to check the session id.
ie. if session is not set, then kick user out.

for more into on sessions :

http://www.php.net/manual/en/ref.session.php

cheers devnull22

http://www.photoflux.com

http://www.clickEval.com

--
Apparently if you play the Windows NT CD backwards you hear satanic messages. If you think that's bad, play it forwards and it installs Windows NT !

 

[salinasj]

I do the same thing.
The only way to do that, is to make sure you have index.php
in the directory and make sure that file is calling your auth.h file as an inclusion.

That doesn't really protect the whole directory, but they'd have to know the physical names of the files in the directory to access them, and that's hard unless you know what is in the directory.

one thing i did in addition to the auth.h i wrote, was to include a &quot;fake&quot; session check.
basically, i hate using sessions, so i just fudged a little... I created a table called sessions and when a user authenticates, it adds a record to that table with the timestamp of when they authenticated.
once the user logs out, that record's status is changed to 0 to show he is logged out and requires re-authentication.
If they don't log out and just simply close the browser, they'll have to re-authenticate to get back in that directory. and when they do that, i have it clear the previous record in sessions and create a new one for them.
(also put in a 7200 second timeout so if they haven't logged out within 2 hrs, it automatically requires re-authentication as well)

 

[mcvdmvs]

There is one more possibility. If u have acces to the server u kan use the .htacces to connect to a mysql db in the httpd.conf.
in that way all underlaying dirs are protected. Else u have to use cookies or sessions and check the rights of a user on everey page. mcvdmvs
-- &quot;It never hurts to help&quot; -- Eek the Cat