Direct access to a file is a no-go?

[rootKID]

Hello W3S! Been a while x)

 

Anyways, i believe my question lies in the title? Well i tried to do that anyways. It's more a question than a request this time.

 

I was wondering for some security purposes on my forum, if it would be possible for the logout file of a user to have NO DIRECT ACCESS in the URL to it?

 

Meaning the only, and i stress the word ONLY ACCESS to the file, are by entering it from another file and if they try to go by url like so:

 

www.domaintitle.com/logout.php

 

then they will simply be re-directed to index.php file.

Is this possible Oo? If so, which ways are there? Would be great to have as an "extra ordinary" security i think ^^'

 

Thanks for your help as usual! ^^

[justsomeguy]

It doesn't really add any extra security to do that with PHP files, but you could put the file outside of the web root or use .htaccess to deny access to it, and then include it from another PHP script. But there's still going to be some URL to access it, right? So I'm not sure what the point is. The normal case where you would have a setup like this is if people are downloading files or something but need to be logged in first. You would remove direct access to the files and then use a PHP script that gets the filename they want, where the PHP code can make sure they're authorized before sending the file.

[rootKID]

Hmm... i'm not really sure about the security also, like you said. But the reason i said "security" is because the file is called "handler.php", on the file i will make ALL my functions and those functions i will use by including the file to the pages on the website where it's needed.

 

So the reason i said security was really because no one should have direct access to the file itself except through other files where its been included orr something like that.

 

But about HTAccess... how does it work? Never been the best top 100 at htaccess :/

[justsomeguy]

If you don't want people to access a file then just move it outside of the web root. But, if you have a PHP file that does nothing but define functions or classes or whatever then there's no reason to restrict access to it. If the file does not contain any executable code other than definitions, what can people do by accessing it? In other words, if you have a file with this in it:

<?phpfunction test1() {  echo 'test';}

That's just a definition, there's no other code. There's no way that someone can access that file and actually cause that function to be executed. They're just accessing a file that defines things, and so what?

But about HTAccess... how does it work? Never been the best top 100 at htaccess :/

It's a file that Apache will process to check for rules and things when accessing files inside folders that contain .htaccess files. Each file affects the folder it is in and all subfolders.