I have a slight problem which is giving me a lot of headache, I have an apache2 server, with lamp in a Debian distro, the problem is that if I access www.domain.com/folder , I see the contents of the folder. the thing is that I don't want to see it, besides, if I access a .php file within this file, it is executed, these should not be executed if the login is not done.
For the fact of hiding the files, what I have done has been to insert a .htaccess file with the following content
Order Allow,Deny
Deny from all
To deny access to the files, what I have done is check if they have the session cookies with the user, otherwise the application does not work, but I do not think it is a good practice
<?php
//comprobamos que el usuario este logeado
if(!isset($_SESSION['usuario'])){
//aqui ira el codigo
}else{
//si no esta logeado lo mandamos a la pagina de login
header("Location: login.php");
}
To avoid directory tracking it should be handled with
.htaccess
:As for the login control, how you are doing it is wrong; if it is procedural you can use something like this:
Any file
php
:Content of
validate.php
:With the latter we are validating that if the user is not in the session we must automatically redirect to the login and exit this current execution.
note: remember that each page php file must carry its session initializer in order to continue with session validation.