i have a folder on my website called "admin" ie. www.example.com/admin/, so what i want to do is when someone goes to that address a login box is displayed, once they put in the right credentials, they are allowed to see everything in that "admin" folder, so do i need to put in a check at the top of every page or can i just stick the check in the index.php page?
Is this possible?
also can be achieved (sort of) with .htaccess depending on your actual requirements.
AuthType Basic
AuthName "Admin Area"
AuthUserFile /path/to/.htpasswd
Require valid-user
.htpasswd
admin:$apr1$7ej2t/..$qlcauURCmChKfwVhnxRLt.
(admin/pass)
If you are planning to use sessions in PHP, you should check if the appropriate session variables are set on the pages which the successfully logged in user visits.
To elaborate, you'll need to use something like this:
<?php
session_start();
if($_SESSION['usertype'] != 'admin') //$_SESSION['usertype'] should be set in the index page once the admin guy logs in successfully
header("Location:http://www.example.com/admin/"); //Redirect the user to the login page if the expected session variable is not found
?>
If you want to do this via PHP, you'll have to include code in every source file checking if the person have proper credentials. You really want to solve this with a web-server based solution.
If you're using Apache, you can use a .htaccess file to set up authentication. Try This article for your first step in the right direction.
Using server based authentication also allows you to protect non-PHP files.
The index.php is displayed when someone goes to that folder. Without it, the contents (all the files) would be displayed, which is I think what you want here (ie list everything)
However, permissions can be set in the .htaccess file to require passworded access to these files.
In this way, your files don't need to be individually protected, just the folder itself.
Your main point of entry can be the index.php and route the user to the proper view based on whether or not a SESSION is set.
And as for blocking the other files in the folder:
for PHP files: define a constant in the index.php and at the top of the other PHP files that are included check if it's "defined".
As for images and other types of files you can store them above the root and include them via PHP.