At 10:46 12.02.2003, Shams said: --------------------[snip]-------------------- >i've written a secure PHP login script which will allow users to login to a >directory such as this: > >smezone.com/members/index.php > >however, how do I restrict people from accessing HTML files in that >directory (which they can easily do so by typing the URL into their >browser), such as: > >smezone.com/members/document1.html > >? > >Since its a regular HTML files (and we have lots), I can't check whether the >user has a valid session as I would do in a PHP file. --------------------[snip]--------------------
If you have access to the servers directory structure (and either shell access or a helpful admin) you could also consider a different approach by moving the files outside the webservers path and including them in your access script. BEFORE (assumed) /~shams /~shams/www /~shams/www/members now, do cd /~shams mkdir www.members mv -r www/members/* www.members # and make sure that the http process has read permission on files, # and read/execute permission on directories and subdirs so we have AFTER /~shams /~shams/www.members <-- not accessible via http /~shams/www <-- webserver root folder In your login script, you would then (after a valid login check) $file = '../www.members/' . $_REQUEST['file']; $hf = fopen($file); if ($hf) { echo fread($hf, filesize($file)); fclose($hf); } else die 'cannot open file ' . $_REQUEST['file']; assuming you pass the requested filename via a "file" parameter, which you could easily accomplish by using either ErrorDocument or mod_rewrite in your apache config. HTH, -- >O Ernest E. Vogelsinger (\) ICQ #13394035 ^ http://www.vogelsinger.at/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php