HTTP文件访问和PHP会议 [英] http file access and php sessions
问题描述
如果一个网站有PHP会话到位强制认证/授权,这是在PHP实现网站上的网页,怎么同样的逻辑强制访问某些文件。
If a site has php session's in place to enforce authentication/authorization to pages on the site which are implemented in php, how does the same logic enforce access to certain files.
可以说,文件的存储库中的目录。因此,在/ var / www / html等/通过身份验证保护然而,这PHP认证逻辑将不会从根本去的 http://site.com/someDirectory/fileIShouldNotAccess.txt 并拉动该文件。
Lets say a repository of files in a directory. So /var/www/html/ is protected via authentication however, this PHP authentication logic won't prohibit a user from simply going to http://site.com/someDirectory/fileIShouldNotAccess.txt and pulling that file.
你怎么情侣PHP会话和认证与Apache执行这种类型的行为?
How do you couple the php session and authentication with apache to enforce this type of behavior?
推荐答案
由于PHP将不会被调用,你不能有阿帕奇执行PHP的访问保护。您可以在Apache的一个很粗,易于伪造的检查,以确保一个会话ID Cookie是present,但是这是非常不安全的。它只是检查是否cookie的存在,而不是它重新presents一个有效的会话或用户的实际被授予访问权限。
Since PHP won't be invoked when the user requests a non-PHP file, you can't have Apache enforce PHP's access protection. You can make a very coarse and easy-to-fake check in Apache to make sure that a session ID cookie is present, but that's highly insecure. It just checks if the cookie's there, not that it represents a valid session or that the user's actually been granted access.
这对方的回答可能会有帮助。 <一href=\"http://stackoverflow.com/questions/2187200/using-php-apache-to-restrict-access-to-static-files-html-css-img-etc\">http://stackoverflow.com/questions/2187200/using-php-apache-to-restrict-access-to-static-files-html-css-img-etc.基本上,你通过PHP脚本服务于所有受保护的内容,而不是提供直接访问。
This other answer might help. http://stackoverflow.com/questions/2187200/using-php-apache-to-restrict-access-to-static-files-html-css-img-etc. Basically, you serve up all the protected content via a PHP script, instead of providing direct access.
这篇关于HTTP文件访问和PHP会议的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!