0

So I have a login script that assigns a session to the user once he logs in. This script normally redirects to the index if the session DOES NOT exist, else it continues to another php script called login_successful.php

I added the session script to the HeaderName because I have a file directory that needs to be protected from people who are NOT logged in and I want to prevent direct URL access to the files in uploads directory. I don't want to list the directory using PHP for sheer simplicity. Here is my .htaccess: 

Options +Indexes
IndexOptions FancyIndexing
AddType text/html .php
Addhandler application/x-httpd-php .php
HeaderName /header.php

Here is my header.php for Apache HeaderName:

<?php
session_start();
// IF USER NOT REMEMBERED(DID NOT CLICK REMEBER ME BUTTON) OR NO SESSION IS FOUND THEN THROW HIM OUT TO LOGIN
//SECURITY SO THAT USERS CANT ACCESS WEB URL DIRECTLY
 if (!isset($_SESSION['myusername']) && !isset($_COOKIE['myusername']))
 {
   header("Location: index.php");
 }
?>

The HeaderName directive works if I use regular php expressions like echo but does not work with the code above.

what am I doing wrong?

Help is appreciated

Improve this question
5
  • I'm willing to bet that headername is already outputting <html><body>... type stuff BEFORE it reaches the file you're including via headername, which means that header() calls are not permitted anymore. Commented Feb 10, 2014 at 3:17
  • But in php you can call html tag first then PHP, in PHP order is not an issue. But you might be right about the header() issue. Commented Feb 10, 2014 at 3:47
  • yeah, but you're not dealing with JUSt php... you're dealing with apache too, and unless apache calls your headre script BEFORE it does any other output, you'll never be able to get header() calls to work, because apache's already triggered output itself. you also couldn't use any PHP buffering methods, because PHP starts AFTER apache's done the output. Commented Feb 10, 2014 at 3:48
  • @MarcB As a work around I used meta tag refresh and it worked. However, even though the directory isn't accessible the files are. Anyway to prevent download of files unless logged in? Commented Feb 10, 2014 at 12:11
  • 1
    @fixnode don't allow direct access to the files that will download, use a script that starts the download, that way you can request login before the download starts Commented Feb 10, 2014 at 12:46
Related questions
1
PHP header and $_SESSION
0
PHP SESSION won't maintain after header() called
1
using session_start with header redirect
Load 7 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.