# How to restrict user access to content in folders using PHP and Apache .htaccess files

So I was faced with this problem: I needed to restrict access to content(images, files, documents..) in folders, and normally this is done by using a .htacces and .htpasswd file, but I needed more functionallity than this method provided. This extra functionality could be that you simply have a list of users in a database and want to authenticate and authorize users against this database using PHP. In this entry I explain a method I developed to do exactly this.

The method is quite simple

• A .htaccess file in the base directory has a list of folders you want to restrict access to
• Whenever a client tries to access some content in one of these folders Apache redirects(rewrite) to a PHP file
• This PHP file authenticates the user and checks if the user should be allowed access to this folder
• If successful the PHP file will try to open the file and outputs its contents to the user

The .htaccess file

 1 2 3 4 RewriteEngine on RewriteBase / RewriteCond %{REQUEST_URI} ^\/(path\/to\/some\/folder|dummy)\/.*$RewriteRule !^((.*.php)|(.*\/))$ authorize.php

What this .htaccess file does is to redirect(or rewrite) to the PHP file authorize.php if the request URI(%{REQUEST_URI}) that is, everything after the hostname of the URL address. So if we are at http://www.example.com/somefolder/ex.jpg the %{REQUEST_URI} is /somefolder/ex.jpg. But if the address either ends with .php or a /, indicating that its a folder, it will not redirect to authorize.php. This is accomplished with the regular expression on line 4. If you want to add more exceptions to what kind of files should be redirected or not you can do that in this regular expression. Note that Apache rewrite module mod_rewrite has to be enabled for this to work.

The PHP file (authorize.php)
What’s important in the PHP file below is the code from line 9 to 17 which opens the originally requested file, sets the proper MIME type to the header and send the content of the file to browser. The authentication and authorization should be performed before this code is run to prevent access to the requested file.

 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27

PHP Functions for adding and removing paths in the .htaccess file
Below are a couple of functions you can use to manipulate the .htaccess file i.e. add and delete restricted paths to it. The functions will not remove any previous content that may be found in the .htaccess file. So to use these methods simply create an empty .htaccess file and make sure its readable and writeable by the webserver or if you have one already, just make sure its readable and writeable by the webserver.

Note that making the .htaccess file readable and writeable for the webserver represents a certain risk, so make sure that no users can get access to the file through your other webscripts.

 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149

### 10 Responses

1. Bilbo Bizarro says:

I like your scheme but have a question regarding the location of authorize.php. In my projects I always locate my working code (php) outside of the webroot and use a config file or include path to set paths for working code. What impact will this have on the syntax for accessing the authorization.php file? Will Apache be able to execute such paths from an htaccess file. If so, what would the path structure look like if say the php was in a php_inc folder outside of webroot?

2. Larry says:

Erik

For the line above RewriteCond %{REQUEST_URI} ^\/(path\/to\/some\/folder|dummy)\/.*$If I want to restrict the contents of a folder called “lucky” what would the line above look like? Cannot seem to find references on sytnax anywhere. Thank you • Erik Smistad says: The syntax is called regular expression, or regex for short. Long time since I made this, but I guess you would replace path\/to\/some\/folder with just lucky. 3. Jose says: Hi, I don’t know if you are still around, but I am implementing this, however I have some problem when it comes to mobile devices, it sends me to the login page, I use the correct credentials but still send me back to the login page, which is strange since it doesn’t happen on a laptop or a computer, do you have any idea why could that be? 4. Victor kumilamba says: i want to write a code whereby i want to restrict all URl’s that are within the database which i have created in MySQL from accessing the internet 5. thermal148 says: Thank you in advance towards the aid! 6. Rob says: This script fails if there is any space (%20) in the filename 7. kinderjit singh says: I want to restrict users to use my images folder. Please add the answer on my personal site. you can add your suggestions on http://www.jvdinfoways.com in artical page. 8. Sunny Goyal says: if you tell where to put these files on server then it will be more helpful. otherwise method looks great but mine is not working i think due to that i dont know where to put these files on server • Erik Smistad says: All the files can be put on your website’s base folder. The mime_content_type has been marked as deprecated for newer versions of PHP. So if thats the problem you need to replace the mime_content_type function with something like:$finfo = finfo_open(FILEINFO_MIME_TYPE);
$mime = finfo_file($finfo, $_SERVER[‘DOCUMENT_ROOT’].$_SERVER[‘REQUEST_URI’]);