I have a PHP website and I want to make sure that only logged in users can access certain data and that users can only access data the have clearance to access. I'm not really sure if this is a PHP or Apache issue. Let's say the folder "Images" exists on the server. If the user is not logged in and the browser requests can image from the folder, would a redirect to another page take care of it or do I need to involve Apache somehow to make sure that the user absolutely can't access the files unless there is a PHP session which identifies the user?
Use php to verify the user and use an .htaccess file to deny any access to that directory which isn't sent from php. However, if you use the .htaccess method, you'll have to get the image with php, it won't be accessible with html or javascript. Put an .htaccess file in the image folder:
deny from all
With that written inside of the .htaccess file.
Then only php can access the files inside of the folder.
An entire directory can be made off-limits unless the browser has a certain cookie. Modify the .htaccess file in the wanted directory to include:
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_COOKIE} !CookieName=Value [NC]
RewriteRule .* http://www.example.com/members/login.php [L]
You have to change three things:
CookieName should have the name you want.Value behind CookieName you can require the cookie to have a specific value.Now access will only be granted when the correct cookie is present in the browser. And of course only users that can log in should have this cookie. I assume you know how to make such a cookie? Tip: Let the cookie expire reasonably quick.