0

Im working on a PHP based web app which allows users to login. What would be the appropriate method of 404'ing all the back-end - (the actual application pages).

I've got a user-tools class which has a check-login function in it, that I use at the moment. If the user isn't logged-in, it redirects to a 404.

However I'm wondering is there a better way to set this up? Could I have a global page that has a list of all the pages that should 404 if the user isn't logged in? If so, how would you set that up?

Giacomo1968
  • 25,759
  • 11
  • 71
  • 103
user3143218
  • 1,738
  • 5
  • 32
  • 48
  • 3
    Never "redirect to a 404", just send 404 headers from the requested page. – Wesley Murch May 04 '14 at 15:39
  • Download a prepackaged CMS like WordPress. Look at the default `.htaccess` file & `index.php` file. Then learn how they are routing all traffic through the main `index.php` via `.htaccess` rules. – Giacomo1968 May 04 '14 at 15:51

1 Answers1

2

Many website have all their traffic through a single entry point. In such a setup, you can define a constant in that single file, and check it in every file that is included, so you know whether the file was in fact loaded by the entry file. This method is implemented in MediaWiki for example.

Another solution is to put all the include files outside of the document root. Many frameworks (like CodeIgnitor and others) allow you to specify this directory, and allow you to put it anywhere you want. If it's outside the doc root, visitors cannot load files from that directory directly.

GolezTrol
  • 114,394
  • 18
  • 182
  • 210
  • So in the first part of your answer, your saying you would have something like global.connect.php which connects to the DB. You then check if the user is logged in there and include the file on every page ? – user3143218 May 04 '14 at 15:45
  • That's a possibility, but what I meant is the other way around. Using htaccess, you redirect every request to the same file (index.php). Index.php analyzes the request and includes the right file(s) accordingly. With that setup, the only file that needs to be in your document root is index.php. All the others can be somewhere else, outside the reach of direct access. – GolezTrol May 04 '14 at 18:37
  • Oh, that's what I meant in the second one, although MediaWiki, which I mentioned also uses that technique, so basically they are very similar. Both solutions are based on a single entry file, but one solution is to protect every file by adding a line of code on top of it, while the other protects them by making them unreachable at all. – GolezTrol May 04 '14 at 18:42
  • This single entry solutions is usually called 'routing' in frameworks like CodeIgnitor, Kohana, Yii etc, so maybe you can investigate how they do it. There are also stand alone routing engines. Maybe you can get some inspiration from this question: [Is there a standalone PHP routing library?](http://stackoverflow.com/questions/15392024/is-there-an-standalone-php-routing-library) – GolezTrol May 04 '14 at 18:43