Restrict access to a sub folder on a CMSB controlled site to logged in users only

Jerry, I no longer have any sites running Website Membership, but here's some code from my archives that might be helpful. I seem to remember this working when it was online.

<?php // WEBSITE MEMBERSHIP START //
  // error checking
  $errorsAndAlerts = alert();
  if (@$CURRENT_USER)  { $errorsAndAlerts .= "<a href=''>Log Out</a><br/>\n"; }
  if (!$CURRENT_USER && @$_REQUEST['loginRequired']) { $errorsAndAlerts .= "Please log in to continue.<br/>\n"; }
  // save url of referring page so we can redirect user there after login
  if (!getPrefixedCookie('lastUrl')) { setPrefixedCookie('lastUrl', @$_SERVER['HTTP_REFERER'] ); }
// WEBSITE MEMBERSHIP END //
?>

WEB PAGE CONTENT:

<?php if (@$CURRENT_USER): ?>
(show content for logged-in user)

<?php if (@$errorsAndAlerts):
 // show errrors/alerts ?>
<div>
<?php echo $errorsAndAlerts; ?><br>
</div>
<?php endif ?>

<?php // endif current_user
endif ?>

If that doesn't work, I might have more code to delve into or someone else might have an immediate answer.

~ Deborah

Hi Deborah,

Thanks for the lengthy response.

I've tried to do that kind of thing, and it has indeed worked for any of the CMS controlled pages.

Where I've been running into issues is when I've tried to implement that type of code on 3rd party programs. 

Besides, there are sometimes a great many files in their programs and I was hoping for a more global approach that would keep non-logged in users from accessing the containing folder itself.

Maybe that can't be done, but I figured that it didn't hurt to ask.

Again, thanks,

Jerry Kornbluth.

I’d think that you may be able to achieve this by .htaccess and a cookie created with the login process? - but the specifics of how to implement that is way beyond me! very interested in how you progress though:)

Hi Tim,

Interesting thought...

Maybe someone will come up with the magic formula.

Jerry Kornbluth

Hi Jerry,

Just wanted to do a quick check in regarding this thread: are you still searching for a solution to restrict user access to sub-folders?

Please let us know if we can be of assistance.

I am, thanks for following up

Jerry Kornbluth

Hi Jerry, 

I can't think of an easy clean solution.  To do it with PHP you'd need to add some code to all the 3rd party programs, and ensure that it didn't conflict with any of their code.  

Maybe if we set a PHP session variable to indicate if a user was logged in, that would be easier to check.  But you still have the issue that if any of the 3rd party apps are upgraded the code will be overwritten, and website membership would also need to clear that settings.

Tim's cookie idea is interesting, but you'd need to make sure people couldn't fake it since cookies are client side.  But maybe something along the lines of having htaccess code that redirects to the login page unless something is set that indicates a valid login.  

Or another approach is to only have the folder accessible through a time-expired URL or URL alias (eg: /members-j93dej7834/) that changes at intervals so it's not possible to guess it unless you can login.

But I can't think of an easy way to implement any of those without further research and custom code, and even then they seem a bit tricky.  

Hi Dave,

Thanks for your detailed response.

I guess that if it becomes important enough to the client, I'll look to your paid support to dive into this further.

Best, and have a good weekend,

Jerry Kornbluth