Directory Access Control on Apache Server

[count_10ants]

<b>My First Post</b> After allowing login to my site, based on a query, and commencement of a session, I then successfully implement use of a session variable to determine if a user should have access to pages in the site. However, it is possible to bookmark the pages accessed during the session, and later return to them WITHOUT logging in! [shock,horror! ]Did I blink at the wrong time, somewhere? Attempts to find solution:1. I read a tutorial on .htaccess and concluded that I did not want to use a separate username-password file to complement that form of direct, password-based access-control. I want to continue to use a query to a MySQL users table to determine a valid username/password pair.2. I read all the documentation offered with my Hosting Service's CPanel. The option supplying the PHP settings did not reveal anything promising. Also, phpsec.org/articles/ did not help .3. I looked at Cpanel Pear-Extensions 0ption , saw the complex documentation offered , and reversed out, asking "Is there anything else?!!" . 4. CPanel's "Password-Protect-Directories" Option seemed to offer a solution. I created a new user and set passwords on the "includes" and "code" folders, using the CPanel interface, in accordance with the following confident advice:"Password protection allows you to require a username and password to access a folder within your site from the web. When password protecting a folder, there are a few things to remember. Protecting a folder will protect all folders within that folder. Also, you will need to create users who can access the protected directory. You can give the password protected directory any name, no matter what the actual directory is called."This stopped access via bookmarks! Progress! Unfortunately, it also prevents a user from accessing the login element, because it makes a call to files in password protected folders!, like " /code " . 5. None of the many tutorials on the web on access control have helped. My college text: "PHP and MySql for Dynamic Websites", by Larry Ullman, says nothing. I must have missed the lecture the day they explained access control.I searched your W3Schools PHP Tutorial. Nothing. What I seem to need is a PHP script to submit a global username/password combination to the protected folders, once a specific user is logged in, but I don't know what PHP function to use, or even if one exists. How do you read the php.ini file on your provider's server? The Cpanel does not offer much. I have sent them an email but I am impatient over a weekend. They show a configuration list but it does not even include the GD functionality for images. Is that normal? Is this note below (from http://www.php.net/manual/en/security.general.php) relevant?"If you want to use .htaccess file, it should be:<Files "*~">Deny from all</Files>But then don't forget to set AllowOverride All (for the directory in question), e.g.<Directory /var/www/localhost/htdocs> AllowOverride All</Directory>since with the (default?) AllowOverride None the .htaccess files are ignored. "I incl screen shots but did not parse.

[boen_robot]

The whole point of sessions is that they remember your data for a certain period of time.So if PC "A" connects to the site as user "X", it's natural that user "X" will be automatically authenticated when logging in from PC "A" again within their session time.What you should worry is if:User "X" can login from PC "A" even after his session has expired.Once user "X" is authenticated, he could log in from PC "A" or PC "B".PC "A" can switch seamlessly (say, with a tiny URL adjustment) between user "X" and "Y".

[count_10ants]

Summary of Original Post:Q1. It is possible to bookmark the site pages accessed during the session, and later return to them WITHOUT logging in! Q2. They show a PHP configuration list but it does not even include the GD functionality for images. Is that normal?Q1: Re Reply:Yeah, I always knew it was something simple! LOL Thanks so much. It is amazing how simple it is when you see the big picture. Should I be including some code to terminate a session, after a while, to cover the situation when a user does not logout?Q2.Please: How do I check my hosting service is offering GD functionality for images?

[boen_robot]

Q1: I think this needs to be configured in php.ini. I'm not sure with which directive (I don't use sessions myself). session.cache_expire maybe?Q2: The easiest way is to create a new php file, and in it, write:

<?php phpinfo() ?>

Open the file, and look for a header saying "gd". Below it, there should be a table. If you can't find this, you have no GD support. If that's the case, you should ask your host to enable it for you, and/or ask them if you can enable extensions yourself and how.