0

I'm trying to block viewing a javascript page (.js) if user is not logged in, i wanna do it from the index.php page to write a 404 or 403 header, how is it done ?
note: i dont wanna use chmod since it globally change the file permissions and not for the visitor

header("HTTP/1.0 404 Not Found", "js.js");

js.js is a false parameter, just a sample of how i want it or something does a similar thing,

Osa
  • 1,922
  • 7
  • 30
  • 51
  • 1
    `index.php` will not be invoked when another file is accessed. So doing it in PHP is not an option. Read up on mod_rewrite or Apache access rules. – mario Jun 30 '12 at 00:15
  • anything similar to be done ?, my target is to block user from viewing the file if session['status'] is 'failed' – Osa Jun 30 '12 at 00:17
  • ...you can make it `js.js.php` and do check here... Or just make `php` to parse `js` files too. However, mario's approach is better as being less resource intensive. – Sampo Sarrala - codidact.org Jun 30 '12 at 00:19
  • possible duplicate of [http file access and php sessions](http://stackoverflow.com/questions/3603271/http-file-access-and-php-sessions) and / or [Restrict file access — only read through PHP](http://stackoverflow.com/questions/3472770/restrict-file-access-only-read-through-php) – mario Jun 30 '12 at 00:24

5 Answers5

2

You will need a seperate script for this. Such as

file.php

$file = $_GET['file'];
//whitelist files
$filelist = array('js.js');
if(in_array($file, $filelist))
{
    header('Cache Control: No-store');
    header('Content-Disposition:inline;filename="' . $file . '"');
    include "../files/$file";

}

to use it

<script src="files.php?file=js.js"></script>

and put your files in a non web accessible location

Kris
  • 6,094
  • 2
  • 31
  • 46
  • +1 for using whitelist for allowed files rather than sanitizing `$file`. However `Cache Control: No-store` is not requirement, see here [w3.org/Protocols/rfc2616-sec14](http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html). – Sampo Sarrala - codidact.org Jul 08 '12 at 12:45
0

There is no secure way to do that except giving out *.js using a separate php script. In this script you would check user's cookie/session data and then readfile() the js you want to protect.

This is a really hacky way... why do you need it?

Sergey Eremin
  • 10,994
  • 2
  • 38
  • 44
0

People have suggested how you can do this. Here is one practical solution.

As mentioned, you write a script that does your session checking and redirects with a header() call to whatever error handling solution you want.

I would not advocate you call the script js.js.php. In general you don't want to allow files with somename.somename.ext due to intrinsic issues with apache.

So instead, simply name your script js.js. However, the source for js.js should be php code that does the session check, and if ok, returns the javascript source, with the appropriate mime type header.

Then in your htaccess for the directory you can add a custom Files rule:

<Files js.js>
SetHandler application/x-httpd-php
</Files>

Apache will then treat js.js as a php file, even though this functionality is otherwise invisible.

gview
  • 14,876
  • 3
  • 46
  • 51
0

This doesn't answer the question, but what can be done is simply to not require the JS script if the user doesn't have the necessary rights. What you're trying to do is an overkill with no added value.

<?php if ($isUserLoggedIn): ?>
    <script src="js.js" type="text/javascript"></script>
<?php endif; ?>
Samy Dindane
  • 17,900
  • 3
  • 40
  • 50
-1

You could create your own 404 page and use the include function for it in the part of the file you want it.

DrinkJavaCodeJava
  • 812
  • 8
  • 22
  • it has nothing to do with what i asked for, if the visitor visited http://localhost/js.js, it will normally load, php's duty is to check whether he's logged on or not through session, if not then change permission for him to view that page till session becomes 'success' – Osa Jun 30 '12 at 00:19