0

To prevent my files from being accessed, I've set up an .htaccess that only allows the user to redirect through the login page. The problem is that I don't know how I allow access to the directory, since the folder is opened through a require_once

Example - index.php

<?php
require_once("filterLoginPage.php");
?>

I've tried this method, which seemed logical because the folder is opened through the index.php - but whenever I'm loading the folder URL through localhost, the localhost still gives me a 403 ERROR.

My .htaccess

<Limit GET POST>
       order deny,allow
       deny from all
       allow from 127.0.0.1
</Limit>
<Limit PUT DELETE>
       order deny,allow
       deny from all
</Limit>

Order deny,allow
Deny from all

<Files "index.php">
    Allow from all
</Files>
<Files "filterLoginPage.php">
    Allow from all
</Files>
Talon
  • 49
  • 8
  • It's pretty unclear, but are you asking how to make index.php the default file which is loaded if the URL only specifies the folder and not a file? I've no idea what `the folder is opened through a require_once` actually means either...the require_once command can only load a PHP script file, not a folder. – ADyson Jan 27 '21 at 15:43
  • Any reason why you are using Apache 2,2 commands? Are you actually running Apache 2.2 or 2.4 – RiggsFolly Jan 27 '21 at 15:43
  • @ADyson I want to make filterLoginPage.php the default file, so that other files can't be accessed through URL. So there's an authentication before you can access the web application, which contains confidential information of customers. The person before me used a require_once on the index.php file so that when you access the folder in Localhost it'll instantly show the filterLoginPage.php – Talon Jan 27 '21 at 15:48
  • @RiggsFolly I'm new to .htaccess and use the resources I can find on the internet – Talon Jan 27 '21 at 15:49
  • 1
    Ok. Did you try to set `DirectoryIndex filterLoginPage.php` then, for example? Googling how to set a default page in htaccess is fairly easy... – ADyson Jan 27 '21 at 15:55
  • 2
    _“so that other files can't be accessed through URL.”_ - then you should _rewrite_ the requests for all those other URLs to your login check script. That script then checks whether the user has access, and if so, it then needs to read the content of the actual file behind the requested URL via the file system, and pass the content along to the client. – CBroe Jan 28 '21 at 07:48
  • @ADyson Thanks for the tip, I applied it to my htaccess, for now I'll have to figure out the rewrite request for the other URLs and hope that it'll work out (: – Talon Jan 28 '21 at 08:28
  • @CBroe +1 - I'll look it up and see what I can find ! Thank you in advance – Talon Jan 28 '21 at 08:30
  • @CBroe Thank you for the advice! I used this to secure my files https://help.dreamhost.com/hc/en-us/articles/216363167-How-do-I-deny-access-to-my-site-with-an-htaccess-file- And it works perfectly! – Talon Jan 28 '21 at 10:25

0 Answers0