PHP secure login outside of document root


I have created a secure login system using sessions & PHP. The user has to enter a username & password to view certain pages and if the particular session has not been set they are redirected away.

I have been told that it is wise to put any includes / sensitive files etc. outside of the document root.

How can I put all of the admin section files outside of the document root but still have them accessible to a 'logged in' user?



Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Julian HansenCommented:
You make your master page the only page that is in the root like so (suggestion)



All your sensitive files go in the ../lib folder and are loaded using master.php which can make decisions based on URL / Session state about what to add.

The above is a very simplistic example but it is basically what I use in my code for precisely the same reason - the only file you can browse is the index.php file.

Julian HansenCommented:
Sorry - correction
    require_once(BASE_PATH . 'master.php');
In master.php you do the following
define('BASE_PATH', dirname(__FILE__) );

That way BASE_PATH gives you the root of the lib folder so you can use it anywhere in your code to include any file
Julian HansenCommented:
damn - not focused this morning

In index.php you have
In master you define BASE_PATH as the root to the lib folder.

The second post will set BASE_PATH to the path to the index.php
Learn SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

Ray PaseurCommented:
"includes / sensitive files etc."  Do you have any particular reason why you want to put your included files outside of the document root?  Maybe if you explain a little more about what you're trying to accomplish we can offer more sophisticated advice.  It may not be necessary to complicate your programming by using arcane file paths.

A login system (that has everything in the document root) is available here:
Steve BinkCommented:
The "sensitive files" issue is the idea that a user can request an include file in the URL and have it sent to them.  I address this is one of two ways:

1) All of my include files use a specific extension (e.g., *.inc), and that extension is disallowed in Apache's configuration, much like .ht* is disallowed.  
2) Include code in the file to check the original request's filename.  If it is the include file, not a "normal" file, either redirect or return an error page in the response.

If you decide to go with placing your files outside the document root, be sure your open_basedir directive is set appropriately.
DrZork101Author Commented:
Hi Guys,

sorry for the late reply!

I want to keep all of my admin files outside of the document route as i believe it to be safer. I've been reading 'Essential PHP Security' by Chris Shiflett and he states

"By storing as much of your PHP code outside of document root as possible, you limit the risk of exposure. At the very least, all includes should be stored outside of document root as best practice"

So therfore want to put as much of the admin section outside of the document root to minimize risk.



Julian HansenCommented:
The basic principle is to locate your files and folders outside the root and then include what you need using the php include statements (require, require_once and include)

By setting a BASE_PATH value in the beginning you can then easily access any of your library files by prepending the BASE_PATH value to the path you are trying to access in your library folder.

require_once(BASE_PATH . '/path_to_file/filename.php');

This is a good way to protect your code - not to take anything away from the suggestions above - but if you forget to put a .htaccess in one of your folders then you are vulnerable - this way there is no way of anyone getting access to your script files through a URL request


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.