Password protect directory without .htaccess

I’m trying to build a password protected area on my site. I can password protect the individual php files no problem, but I have multiple swf, pdf & zip files as well and I need to make sure that these can only be accessed once the user has logged in.

I can get this all to work no problem if I use .htaccess

The issue I have is that I need to be able to let the user logout (using a button) as this will be used on public computer within a school, something that can’t be done with .htaccess

If anyone can help me out, or point me in the direction of a free or commercial script I’d really appreciate it as I’m pulling my hair out with this


There may well be better solutions out their, although this is what I have done in the past to make this work:

  1. Implement phpseclib to communicate with the server using SSH
  2. Users for the application are bound to the Linux (UNIX) users rather than a database of users
  3. Jail the SSH for authenticated users to the directories they are allowed
  4. Create a login that passes shell commands to login or reject users
  5. Maintain user login status via a state.

If you have never worked with this type of thing before, all I can say it was a little hairy for me. The documentation for phpseclib is ok but not great. A good understanding of Linux really helped me here. Also, not many people do this, so there was not a lot on the web that could help. Things might be different in this regard nowadays?


thanks for the info… its a little bit out of my league I think tho :frowning:

You can use .htaccess files :wink:

I am doing something very similar to you on a project I have already. It’s not 100% secure, but it helps.

RewriteEngine onRewriteCond %{HTTP_COOKIE} !abcd=1 [NC]
RewriteRule ^(.*)$ /login/1 [R,L]

If you place a .htaccess file with the above text in the directory that you want to protect, any resource accessed inside that directory will require that you have a cookie called ‘abcd’.

You can set this cookie on login and you can remove it on logout, thus giving you the control you need.

I’ve set it as ‘abcd’, although you will want to change it to suit your own needs.