I have several folders within my web server. Each folder contains php / html files. In total there is around 40 files.
Using php I can determine the identity of the user who is currently logged in.
Is it possible to allow users to only access specific pages, based on who they are logged in as ?
I was wondering if .htaccess would allow this ? Or if there is a better way ?
I don't really want to start having to create a user / password authentication script.
Thanks
Using sessions, you can create user levels and restrict access to various areas by assigning user levels to SESSION variables. Presumably, since, quote Using php I can determine the identity of the user who is currently logged in., you have the ability to set up session variables. I believe this is known as role based access control - In it's very simplest form
if ($_SESSION['user_level'] == "Administrator") {
# do something
}
You could do something like this in your .htaccess:
RewriteEngine On
RewriteBase /
RewriteRule ^(.+?\.php)$ index.php?p=$1 [L,QSA,NC]
This will redirect all users trying to view a PHP page to index.php?p=someurl.php
Then in your index.php you can determine if the user has permission to view to file and if they do serve it, if not deny it.
if ( authorized() ) {
// show file
} else {
die("Not Authorized to Access this File.");
}
You can't directly access SESSIONs from .htaccess rules, but you can try a workaround if you're not willing to code.
Inside your authorizing code section, in the last lines after creating session, add a touch() to create a file name of current user session id:
touch("./folder/logged/PHPSESSID_".session_id());
Then within your .htaccess file try to validate if current PHPSESSID related file is created before:
RewriteCond %{HTTP_COOKIE} PHPSESSID=(\w+)
RewriteCond %{DOCUMENT_ROOT}/folder/logged/PHPSESSID_%1 -f
RewriteRule ^(.*)$ $1
RewriteRule .* /users/login [L]
* Also note that you should create a simple script to check if created files are valid anymore, if not then remove them.
* It's just an idea!