开发者

Advanced Directory Protection

问答 作者:

I have a script that basically asks a user to log in upon entering a directory. Once the user authenticates correctly, they are redirected to their subdirectory. That all works fine, but if they change the URL and enter somebody else's subdirectory in, they can access it.

Here is my .htaccess:

AuthType Basic
AuthName "Restricted Area"
AuthUserFile (path_to)/.htpasswd
Require valid-user
Options +FollowSymlinks
RewriteEngine on
RewriteRule ^(.*)/$ index.php?a=$1
ErrorDocument 404 http://localhost/(path_to)/myfiles/

And my PHP in index.php:

<?php
//$_SERVER['PHP_AUTH_USER'] = Entered username
//$_SERVER['PHP_AUTH_PW'] = Entered password
if (!isset($_SERVER['PHP_AUTH_USER'])){
    header('WWW-Authenticate: Basic realm="My Realm"');
    header('HTTP/1.0 401 Unauthorized');
    exit;
}
else {
    if($_GET['a']==null){
        header("Location: ".strtolower($_SERVER['PHP_AUTH_USER'])."/");
        echo Hello;
    }
    else{
        if(strtolower($_SERVER['PHP_AUTH_USER'])==strtolower($_GET['a'])){
            echo "welcome, ".$_SERVER['PHP_AUTH_USER'];
            echo "<br/>you accessed ".$_GET['a'];
        }
        else {
            echo "woops, you're not ".$_GET['a']."!";
        }
    }
}
?>

Currently, that works. It will say 'woops, you're not (bad username)' if you changed the URL, but the problem is that the real user can't actually see their own stuff. Just like 开发者_StackOverflowin Apache, I want to view the index.php or the directory listing if files were found, but I don't know how to do that here, having to catch all the requests and process them.

How can I do this? I'm completely lost :(

Example scenario of what I want to happen: Person1 logs into their account using their credentials. They are taken to myfiles/person1, where they can see their stuff. However, if Person1 changes myfiles/person1 to myfiles/person2, they get an error.

I don't understand why user is allowed to enter other users direcories. Maybe you didn't notice and stored their username on the same password file. I have written-runned a fast example localy and it works fine.

Apacha has some good tutorials, check it out.

However a quick start would be this example I tested:

place a .htaceess in some 'example' directory

with this content:

AuthName "Please notice! This directory is protected!"
AuthType Basic
AuthUserFile  c:/.htpasswd
<Limit GET POST PUT>
Require valid-user
</Limit>

Then on your c drive (I am on windows, check for read access if needed) put the .htpasswd file with this content:

john:smith

Then just enter as john(username) smith(password).

Do the same for every directory you want to protected, place a .htaccess indicating to the realted .htpasswd file.

This is very basic, read some tutorial to get in more depth.

继续阅读:.htaccess.htpasswdphp

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9