使用 PHP 限制登录用户的内容访问 [英] Restrict content access to logged in users with PHP
问题描述
我有一个 LAMP 设置,我只想能够保护网页上的内容(图像、CSS、视频等),以便只有登录用户才能访问它.
I have a LAMP setup and I just want to be able to protect content on the webpage (images,css,videos,etc) so that only logged in users can access it.
我意识到我可以使用 .htaccess 轻松做到这一点.但是,我不想使用身份验证弹出窗口,我希望能够使用会话并能够注销.
I realize I can do this easily with .htaccess. However I do not want to use the authentication popup, and I want to be able to use sessions and also be able to logout.
我正在使用 php 来完成与 mysql 的身份验证和创建会话的工作.这很好用.但是图片、css、javascript 等仍然可以访问.
I am using php to do the job of authenticating with mysql and create sessions. This works great. But images, css, javascript etc are still accessible.
如何仅当存在有效的 php 会话时才允许访问内容?
我遇到过使用 mod_rewrite 将文件转发到 php 文件(如 auth.php?file=...)并在那里进行会话检查.对于已经检查过的页面中的每个图像,检查会话似乎是低效的.这似乎是一种黑客行为,我一直认为有一种更简洁的方法可以做到这一点.
I have come across using mod_rewrite to forward files to a php file (like auth.php?file=...) and do session checking there. This seems inefficient to check the session for every single image in a page that has already been checked. It seems like a hack and I keep thinking there is a cleaner way of doing this.
是否有像 mod_session_cookie 这样的 apache 模块可以检查我的会话数据库中是否存在带有会话密钥的 cookie,如果存在,则为目录设置 Allow from all?
Is there a mod for apache like mod_session_cookie that could check if a cookie with a session key exists in my session database and if so sets Allow from all for the directory?
或者,是否可以使用 mod_auth_mysql 但也可以使用会话和使用 php 表单而不是身份验证弹出窗口登录?
Alternatively, is it possible to use mod_auth_mysql but also be able to use sessions and login using a php form and not the authentication popup?
这是我对问题的解决方案:
在我的 apache 配置文件(不是 .htaccess)中添加:
In my apache configuration file (not .htaccess) I added:
RewriteLock /var/www/lib/rewrite.lock
<VirtualHost>
#...
RewriteEngine on
RewriteMap sessionValid prg:/var/www/lib/allow.php
<Directory /var/www/client/*>
RewriteEngine on
RewriteCond %{HTTP_COOKIE} !client-cookie=([^;]+)
RewriteRule .* - [L,R=403]
RewriteCond %{HTTP_COOKIE} client-cookie=([^;]+)
RewriteCond ${sessionValid:%1} !valid
RewriteRule .* - [L,R=403]
</Directory>
</VirtualHost>
和脚本allow.php:
And the script allow.php:
#!/usr/bin/php5
<?php
set_time_limit(0);
echo "";
$stdin = fopen("php://stdin","r");
$db = mysql_connect(...);
mysql_select_db(..., $db);
$querypre = "SELECT ID FROM Sessions WHERE ID='";
while (1) {
$line = trim(fgets($stdin));
$query = $querypre.mysql_real_escape_string($line)."'";
$result = mysql_query($query);
if (mysql_num_rows($result) > 0)
echo("valid\n");
else
echo("0\n");
}
mysql_close($db);
?>
这就像一个魅力.使用这个和 session_set_save_handler 我能够使用 php 会话由 mysql 支持以保护 php 页面和其中的所有内容.我希望有人觉得这很有用.
This works like a charm. Using this and session_set_save_handler I was able to use php sessions backed by mysql to secure both the php pages and all content within. I hope someone finds this useful.
一些注意事项:
- 如果要在虚拟主机中使用 RewriteMap 语句,则需要在虚拟主机块中定义它.将它放在块之外是行不通的.
- 您必须在定义 RewriteMap 之前将 RewriteEngine 设置为开启,否则它将被忽略.
- RewriteLock 不能在虚拟主机块中.
- 与任何 shell 脚本一样,php 文件必须可由 apache 用户执行并且没有 ^M
- RewriteMap 语句不能放在 .htaccess 中,但其他使用映射的语句可以.
推荐答案
RewriteCond %{HTTP_COOKIE} !mysessioncookie=([^;]+)
RewriteRule .+\.(jpg|css|js) forbidden.html [R=403]
这篇关于使用 PHP 限制登录用户的内容访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!