HTTP文件访问和PHP会议 [英] http file access and php sessions

问题描述

如果一个网站有PHP会话到位强制认证/授权，这是在PHP实现网站上的网页，怎么同样的逻辑强制访问某些文件。

If a site has php session's in place to enforce authentication/authorization to pages on the site which are implemented in php, how does the same logic enforce access to certain files.

可以说，文件的存储库中的目录。因此，在/ var / www / html等/通过身份验证保护然而，这PHP认证逻辑将不会从根本去的 http://site.com/someDirectory/fileIShouldNotAccess.txt 并拉动该文件。

Lets say a repository of files in a directory. So /var/www/html/ is protected via authentication however, this PHP authentication logic won't prohibit a user from simply going to http://site.com/someDirectory/fileIShouldNotAccess.txt and pulling that file.

你怎么情侣PHP会话和认证与Apache执行这种类型的行为？

How do you couple the php session and authentication with apache to enforce this type of behavior?

推荐答案

由于PHP将不会被调用，你不能有阿帕奇执行PHP的访问保护。您可以在Apache的一个很粗，易于伪造的检查，以确保一个会话ID Cookie是present，但是这是非常不安全的。它只是检查是否cookie的存在，而不是它重新presents一个有效的会话或用户的实际被授予访问权限。

Since PHP won't be invoked when the user requests a non-PHP file, you can't have Apache enforce PHP's access protection. You can make a very coarse and easy-to-fake check in Apache to make sure that a session ID cookie is present, but that's highly insecure. It just checks if the cookie's there, not that it represents a valid session or that the user's actually been granted access.

这对方的回答可能会有帮助。 <一href=\"http://stackoverflow.com/questions/2187200/using-php-apache-to-restrict-access-to-static-files-html-css-img-etc\">http://stackoverflow.com/questions/2187200/using-php-apache-to-restrict-access-to-static-files-html-css-img-etc.基本上，你通过PHP脚本服务于所有受保护的内容，而不是提供直接访问。

This other answer might help. http://stackoverflow.com/questions/2187200/using-php-apache-to-restrict-access-to-static-files-html-css-img-etc. Basically, you serve up all the protected content via a PHP script, instead of providing direct access.

这篇关于HTTP文件访问和PHP会议的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！