0

For example, a user cannot access any PHP files like www.mywebsite.com/mypage.php.
That user is redirected back to the login page if they are not logged in.

The problem is they are able to access a URL like: www.mywebsite.com/test/mydocument.pdf.

How can I deny access and redirect to the login page, if they are not logged in?

Brock Adams
  • 90,639
  • 22
  • 233
  • 295
user3597763
  • 27
  • 1
  • 6
  • So you want them to be able to get to `mydocument.pdf` when not logged in or not? – AbraCadaver Sep 15 '16 at 21:19
  • Maybe this is useful, I think the answer there is good: https://stackoverflow.com/questions/19645196/php-restrict-access-to-files-in-directory – Bolli Sep 15 '16 at 21:34

3 Answers3

1

I'm sure there are multiple solutions to this problem. The one I find myself doing most often is as follows:

  1. Store the static files outside of the exposed website folder tree, so a user can't simply navigate to that url.
  2. Write a php page that's purpose is a "download" page. This page will check for session, like you do on your other php pages, and will read the file from the location where you have it stored outside of the web root.

There should be numerous examples of how to send a file to the browser from php, so I won't get into that here, but you should be aware that there are definitely security risks that have to be mitigated to ensure that the user is only downloading files you want them to have access to.

Andy Arndt
  • 385
  • 1
  • 7
0

A similar question is here php redirect if not logged in

Just check with sessions 

if(!isset($_SESSION['login'])){

header("Location: http://www.example.com/login.php");
}

Also with sessions you can set privilegies to users to acces files based on their rank .

Community
  • 1
  • 1
O.Rares
  • 1,031
  • 1
  • 16
  • 19
0

What I do is when the user logs in, I set a session variable, like so

$_SESSION['loggedin'] = true;

Then, on each page I do this at the VERY beginning of the page

session_start();

if(!isset($_SESSION['loggedin'] || $_SESSION['loggedin'] !== true){
    header('Location: http://www.foo.com/login.php');
    exit();    <-- THIS IS VERY IMPORTANT
}

MAKE SURE to include the exit(); function call. Otherwise, the client could deny the redirect request, and the rest of the page would render. This way, even if the client denies the redirect request, all they get is a blank page. have fun :)

PS: If you want to be clever and prevent yourself from repeating code, create a PHP file called "functions.php" (or something simmilar that you like). Then, inside of functions.php create a function called "requireLogin()"

function requireLogin(){
    if(!isset($_SESSION['loggedin'] || $_SESSION['loggedin'] !== true){
        header('Location: http://www.foo.com/login.php');
        exit();    <-- THIS IS VERY IMPORTANT
    }
}

Now, in each page that you want to protect, do this

session_start();
require('functions.php');
reuireLogin();

BOOM page is protected, and the beginning of your pages look much cleaner.

Native Coder
  • 1,792
  • 3
  • 16
  • 34
  • I am familiar with that option, however, my issue is with files/documents within another folder or folders like such: www.mywebsite.com/page/yourdocument.pdf . In this case, the files are still viewable to users by typing the URL directly. – user3597763 Sep 15 '16 at 21:28
  • In that case replace the actual PDF with a PHP file. the php file will check to see if they are logged in. If they are, the PHP file will send them the PDF. The trick is to put the PDF OUTSIDE of the webroot. So find the WWW folder, and put the PDF outisde of the WWW folder. Somwhere like /var/hiddendocs – Native Coder Sep 15 '16 at 21:36