开发者

Advanced Directory Protection

I have a script that basically asks a user to log in upon entering a directory. Once the user authenticates correctly, they are redirected to their subdirectory. That all works fine, but if they change the URL and enter somebody else's subdirectory in, they can access it.

Here is my .htaccess:

AuthType Basic
AuthName "Restricted Area"
AuthUserFile (path_to)/.htpasswd
Require valid-user
Options +FollowSymlinks
RewriteEngine on
RewriteRule ^(.*)/$ index.php?a=$1
ErrorDocument 404 http://localhost/(path_to)/myfiles/

And my PHP in index.php:

<?php
//$_SERVER['PHP_AUTH_USER'] = Entered username
//$_SERVER['PHP_AUTH_PW'] = Entered password
if (!isset($_SERVER['PHP_AUTH_USER'])){
    header('WWW-Authenticate: Basic realm="My Realm"');
    header('HTTP/1.0 401 Unauthorized');
    exit;
}
else {
    if($_GET['a']==null){
        header("Location: ".strtolower($_SERVER['PHP_AUTH_USER'])."/");
        echo Hello;
    }
    else{
        if(strtolower($_SERVER['PHP_AUTH_USER'])==strtolower($_GET['a'])){
            echo "welcome, ".$_SERVER['PHP_AUTH_USER'];
            echo "<br/>you accessed ".$_GET['a'];
        }
        else {
            echo "woops, you're not ".$_GET['a']."!";
        }
    }
}
?>

Currently, that works. It will say 'woops, you're not (bad username)' if you changed the URL, but the problem is that the real user can't actually see their own stuff. Just like 开发者_StackOverflowin Apache, I want to view the index.php or the directory listing if files were found, but I don't know how to do that here, having to catch all the requests and process them.

How can I do this? I'm completely lost :(

Example scenario of what I want to happen: Person1 logs into their account using their credentials. They are taken to myfiles/person1, where they can see their stuff. However, if Person1 changes myfiles/person1 to myfiles/person2, they get an error.


I don't understand why user is allowed to enter other users direcories. Maybe you didn't notice and stored their username on the same password file. I have written-runned a fast example localy and it works fine.

Apacha has some good tutorials, check it out.

However a quick start would be this example I tested:

place a .htaceess in some 'example' directory

with this content:

AuthName "Please notice! This directory is protected!"
AuthType Basic
AuthUserFile  c:/.htpasswd
<Limit GET POST PUT>
Require valid-user
</Limit>

Then on your c drive (I am on windows, check for read access if needed) put the .htpasswd file with this content:

john:smith

Then just enter as john(username) smith(password).

Do the same for every directory you want to protected, place a .htaccess indicating to the realted .htpasswd file.

This is very basic, read some tutorial to get in more depth.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜