限制内容访问登录的PHP用户 [英] Restrict content access to logged in users with PHP

问题描述

我有一个灯的设置，我只是希望能够保护内容的网页上（图片，CSS，视频等），因此，只有在用户登录才能访问它。

我知道我可以很容易的.htaccess做到这一点。不过，我不希望使用的身份验证弹出，我希望能够使用的会议，也可以注销。

我使用PHP做与MySQL认证的作业，并创建会话。这个伟大的工程。不过，形象，css，javascript等等仍然可以访问。

的我如何允许访问的内容只有一个有效的PHP会话存在？的

我所遇到的使用mod_rewrite将文件转发到PHP文件（如auth.php？FILE = ...），并做会议检查那里。这似乎效率低下，检查会议对于已经被检查在页面的每一个形象。这似乎是一个黑客，我一直在想有这样做的更清洁的方式。

有没有类似阿帕奇的mod_session_cookie可以检查是否与会话密钥的cookie在我的会议数据库中存在和mod如果是套起所有目录允许？

此外，是有可能使用mod_auth_mysql，也可以使用使用PHP的形式，而不是认证弹出会话和登录？

编辑：

这里是我的问题的解决方案：

在我的Apache配置文件（没有的.htaccess）我说：

  RewriteLock /var/www/lib/rewrite.lock＆LT;虚拟主机＆GT;
    ＃...
    RewriteEngine叙述上
    RewriteMap指令sessionValid PRG：/var/www/lib/allow.php    ＆LT;目录/ var /网络/客户/ *＆GT;
            RewriteEngine叙述上            ！的RewriteCond％{} HTTP_COOKIE客户端的cookie =（[^;] +）
            重写规则*  -  [L，R = 403]            的RewriteCond％{} HTTP_COOKIE客户端的cookie =（[^;] +）
            的RewriteCond $ {sessionValid：％1}有效！
            重写规则*  -  [L，R = 403]
    ＆LT; /目录＆GT;
＆LT; /虚拟主机＆GT;
 

和脚本allow.php：

 ＃！的/ usr / bin中/ PHP5
＆LT; PHP
或者set_time_limit（0）;回声;
$标准输入=的fopen（PHP：//标准输入，R）;
$ DB = mysql_connect（...）;
mysql_select_db（...，$分贝）;
$查询pre =SELECT ID FROM会议WHERE ID =';而（1）{
  $线=修剪（与fgets（$标准输入））;  $查询= $查询pre.mysql_real_escape_string（$线）'。
  $结果= mysql_query（$查询）;  如果（mysql_num_rows（$结果）0）
    回声（有效\\ n）;
  其他
    回声（0 \\ n）;
}mysql_close（$分贝）;
？＆GT;
 

这就像一个魅力。使用这种和的session_set_save_handler 我能够使用由MySQL支持PHP的会议，以确保无论是PHP页面和中的所有内容。我希望有人认为这是有用的。

一些注意事项：

• 的RewriteMap指令语句需要虚拟主机块内进行定义，如果你要使用它的虚拟主机内。将其置于块外将无法工作。


• 您必须定义RewriteMap指令，否则将被忽略之前设置RewriteEngine叙述上。


• RewriteLock不能在虚拟主机块。


• 与任何shell脚本，php文件必须是由Apache用户和^ M的
的无效可执行

• RewriteMap指令语句不能放置在.htaccess但使用地图可以在其他语句。

解决方案

 的RewriteCond％{} HTTP_COOKIE = mysessioncookie（[^;] +）！
重写规则+ \\。（JPG格式| CSS | JS）forbidden.html [R = 403]
 

I have a LAMP setup and I just want to be able to protect content on the webpage (images,css,videos,etc) so that only logged in users can access it.

I realize I can do this easily with .htaccess. However I do not want to use the authentication popup, and I want to be able to use sessions and also be able to logout.

I am using php to do the job of authenticating with mysql and create sessions. This works great. But images, css, javascript etc are still accessible.

How do I allow access to the content only if a valid php session exists?

I have come across using mod_rewrite to forward files to a php file (like auth.php?file=...) and do session checking there. This seems inefficient to check the session for every single image in a page that has already been checked. It seems like a hack and I keep thinking there is a cleaner way of doing this.

Is there a mod for apache like mod_session_cookie that could check if a cookie with a session key exists in my session database and if so sets Allow from all for the directory?

Alternatively, is it possible to use mod_auth_mysql but also be able to use sessions and login using a php form and not the authentication popup?

EDIT:

Here is my solution to the problem:

In my apache configuration file (not .htaccess) I added:

RewriteLock /var/www/lib/rewrite.lock

<VirtualHost>
    #...
    RewriteEngine on
    RewriteMap sessionValid prg:/var/www/lib/allow.php

    <Directory /var/www/client/*>
            RewriteEngine on

            RewriteCond %{HTTP_COOKIE} !client-cookie=([^;]+)
            RewriteRule .* - [L,R=403]

            RewriteCond %{HTTP_COOKIE} client-cookie=([^;]+)
            RewriteCond ${sessionValid:%1} !valid
            RewriteRule .* - [L,R=403]
    </Directory>
</VirtualHost>

And the script allow.php:

#!/usr/bin/php5
<?php
set_time_limit(0);

echo ""; 
$stdin = fopen("php://stdin","r");
$db = mysql_connect(...);  
mysql_select_db(..., $db);
$querypre = "SELECT ID FROM Sessions WHERE ID='";

while (1) {
  $line = trim(fgets($stdin));

  $query = $querypre.mysql_real_escape_string($line)."'";
  $result = mysql_query($query);

  if (mysql_num_rows($result) > 0)
    echo("valid\n");
  else
    echo("0\n");
}

mysql_close($db);
?>

This works like a charm. Using this and session_set_save_handler I was able to use php sessions backed by mysql to secure both the php pages and all content within. I hope someone finds this useful.

Some caveats:

• The RewriteMap statement needs to be defined inside the virtual host block if you are going to use it inside that virtual host. Placing it outside of the block will not work.
• You must have set RewriteEngine on before defining the RewriteMap or it will be ignored.
• RewriteLock cannot be in the virtual host block.
• As with any shell script, the php file must be executable by the apache user and void of ^M's
• RewriteMap statements cannot be placed in .htaccess but the other statements that use the map can.

解决方案

RewriteCond %{HTTP_COOKIE} !mysessioncookie=([^;]+)
RewriteRule .+\.(jpg|css|js) forbidden.html [R=403]

这篇关于限制内容访问登录的PHP用户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！