Directory Security

There are levels or types of directory security, preventing content from being displayed in browsers or provided to robots/spiders that are not authorized to view or have the content.

1. Securing a web page within a directory. A cookie is required. The cookie would be acquired by the browser through a log-in mechanism.

2. Securing all files within a directory. A cookie is required. The cookie would be acquired by the browser through a log-in mechanism.

"Browser" in this article applies also to robots and spiders. The first two items on the list require the browser to present a cookie. The last item applies to all browsers, whether or not they present a cookie.

Setting a cookie is fairly simple. I'll show a simple way in a moment.

When a website needs a directory or pages within a directory restricted to only certain people, a log-in system is generally already in place. To use either of the first two items in the above list, the name of the cookie set by the login system must be known.

To determine the name of the log-in cookie (when it can't be determined by reading the software manual or the software code), log in and then see what the name of the cookie is. (In Firefox, use Preferences | Privacy | Show Cookies.)

How to set a cookie

To set a cookie, for testing or other reason, make a PHP web page containing only this line. Customization note below.

<?php setcookie("**********","value",0,"/"); ?>

Customization note: Replace ********** with the name of the cookie to set.

Save the file with a .php filename extension, perhaps setacookie.php, upload it to the server and type its URL into a browser. When the page has loaded, the cookie is set (provided your browser accepts cookies).

More elaborate methods of setting cookies, and reading cookies are at these two articles:

• Setting and Reading Cookies with JavaScript

• Setting and Viewing Cookies with PHP

Securing a web page within a directory

Any PHP web page can be secured by putting the following code at the very top of the file, no space or blank lines above it. Customization note below.

<?php
if( empty($_COOKIE["**********"]) )
{
   header("Location: __________");
   exit;
}
?>

Customization note: Replace ********** with the name of the cookie to require for accessing the directory. And replace __________ with the URL of the page to redirect to if the browser does not present a cookie with the correct name.

Securing all files within a directory

Security from browsers obtaining any files at all in the directory without first logging in can be done with the following code in the .htaccess file of the directory to be protected. Customization note below.

RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_COOKIE} !**********= [NC]
RewriteRule .* __________ [L]

Customization note: Replace ********** with the name of the cookie to require for accessing the directory. And replace __________ with the URL of the page to redirect to if the browser does not present a cookie with the correct name.

The directory security methods presented in this article are effective and can be implemented on most servers. (Microsoft IIS can't use the .htaccess file method.)

Use the method that provides the desired security.

Will Bontrager