我有一个管理脚本。
I have an ADMIN script.
admin/index.php
所有的活动都是通过这个的index.php
文件来完成。 用户登录在获得该程序的功能访问之前。 $ _ SESSION ['user_authenticated']
创建并设置为真的。照片
All activity is done through this index.php
file. Users are logging in before gaining access to the program functionality.$_SESSION['user_authenticated']
is created and set to true.
admin/template/..
此文件夹包含图片
, CSS
,的JavaScript
文件。 他们只是在这个ADMIN使用。 (在后台只)的
This folder contains images
, css
, javascript
files. They are used only within this ADMIN. (in the backend only)
的问题:
我需要从管理/模板/..目录加以保护,防止直接进入。照片应该是可用只有通过身份验证的用户。
I need all the content from admin/template/..
directory to be protected against direct access.It should be available only to authenticated users.
我想必须有一个的.htaccess
重定向请求 check_session_auth_variable.php
,它看起来如果 $ _ SESSION ['user_authenticated']
是真正或错误和重定向到请求的文件或< STRONG>抛出一个404错误
I guess there has to be a .htaccess
redirecting requests to check_session_auth_variable.php
, which looks if $_SESSION['user_authenticated']
is true or false and redirects to requested file or throws a 404 error?
我知道,最好的办法是把Web根目录以外的目录,但对我来说,我需要不断的目录结构,而不做修改。的
管理/ htaccess的:
RewriteCond %{REQUEST_FILENAME} !check_auth.php
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule .* check_auth.php?file=$0 [QSA,L] # pass everything thru php
管理/ check_auth.php:
$file = $_GET['file'];
if($_SESSION['user_authenticated']) {
// please mind you need to add extra security checks here (see comments below)
readfile($file); // if it's php include it. you may need to extend this code
}else{
// bad auth error
}