Since you have the login screens, etc. already, once a user is 
authenticated, start a session and register a session variable, using a 
meaningful value fetched from the database. I use "member_id", but anything 
will do.

At the very top of each page you want to protect, with no spaces or 
ANYTHING before it, add this code:
<? session_start(); if( !session_is_registered( "member_id" ) ) { 
header("Location: user_logon.php\n"); } ?>
The pages all have to have a .php extension so that this code  will 
execute, but other than this one line they can be straight HTML.

When a user hits the page, coming from anywhere, and doesn't have a session 
registered with something in "member_id", he is redirected to the logon 
page, creatively named "user_logon.php".

The beauty of this is that the session disappears when the browser is 
closed, you can also provide a "logout" function which has only to destroy 
the session variable. Now you can dispense with .htaccess and .htpasswd.

To protect each directory, all you need is an index.php in each, containing 
nothing more than this line. Anyone blundering in will be directed to log 
on. If you prefer to not protect some pages in a directory, leave the line 

More than a word, and I hope it's helpful - Miles

At 03:09 AM 4/5/01 +0100, Mick Lloyd wrote:
>Can anyone point me to a tutorial that explains in words of one syllable how
>to protect files/directories without using .htaccess and .htpasswd.
>I have log-in screens that search an authorized users database for name,
>password, level before they can get into the site. But each time someone (ie
>me at the moment) tries to log-in, the browser throws up the (HTTP
>Authentication?) dialog box - I guess because I have .htaccess and .htpasswd
>protecting the directories where the scripts reside. I would prefer not to
>have this happen and rely only on authentication from the database. But how
>do I then protect the directories/scripts from anyone wanting to have a look
>(not that they're worth much!).
>Mick Lloyd
>Tel: +44 (0)1684 560224
>PHP Database Mailing List (http://www.php.net/)
>To unsubscribe, e-mail: [EMAIL PROTECTED]
>For additional commands, e-mail: [EMAIL PROTECTED]
>To contact the list administrators, e-mail: [EMAIL PROTECTED]

PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to