PHP Session Authentication of Directory Index

Question

The context: I'm building a PHP 7 web application, it uses a PHP session to login and check to see if the user is logged in on each page. Here is the basic makeup of most pages:

<?php session_start(); ?>
<?php include 'the_header_and_menu.php'; ?>
<p>Page content</p>
<?php include 'the_footer.php'; ?>

At the top of the_header_and_menu.php file is an include to session_check.php which is located outside the site's directory. This PHP process does five checks, the most basic one included below.

if (!isset($_SESSION['loggedin']) || $_SESSION['loggedin'] == 'false') { // If loggedin is not set, or is false, then run this block.
    header('Location: http://example.com/index?eject=noLogin'); // Send the user to the eject page.
    die(); // Exit the process.
}

Process summary: User logs in, which creates a session and its variables. When the user loads a page, a session check is performed to make sure that the user's account is valid and authorised. If the account or session is no longer valid/authorised, then the user is redirected to the login page (index).

The issue: When someone who's not logged in enters http://example.com/dashboard, they are ejected using the first check (featured above). However, if they enter http://example.com/process/, the checks seem to count for nothing and the user is shown the page. This page does not just include a directory listing, but calls the http://example.com/process/index.php file to represent it instead.

The question: How can I apply the same logic that protects individual pages like dashboard.php, to the case of protecting directory indexes?

---

Own answer:

The issue here was one which was simple, but overlooked.

At the top of the_header_and_menu.php file is an include to session_check.php which is located outside the site's directory.

Within the header and menu file was the session check include. However, because the session check was located outside the main directory (like much of the back-end), I had referenced to it through a relative path, similar to the one below.

include_once '../mainfolder/php/subfolder/sessioncheck.php';

However, because the file was being included to a subdirectory, it should've included a further ../ operator.

include_once '../../safe/php/users/sessioncheck.php';

The solution: Instead of performing a session check through the header and menu, I am now including it on every page I want to protect. This is by no means a perfect solution and simply acts to get things working again.

Thank you to Daniel Schmidt, who got me looking in the right direction!

Answer 1

The issue here was one which was simple, but overlooked.

At the top of the_header_and_menu.php file is an include to session_check.php which is located outside the site's directory.

Within the header and menu file was the session check include. However, because the session check was located outside the main directory (like much of the back-end), I had referenced to it through a relative path, similar to the one below.

include_once '../mainfolder/php/subfolder/sessioncheck.php';

However, because the file was being included to a subdirectory, it should've included a further ../ operator.

include_once '../../safe/php/users/sessioncheck.php';

The solution: Instead of performing a session check through the header and menu, I am now including it on every page I want to protect. This is by no means a perfect solution and simply acts to get things working again.

Answer 2

Directory indexes don't usually come from PHP - they are served by your webserver (nginx, apache, ..). Today, there is obviously no need to have that indexes enabled.

It looks like you're not sending each request to you're PHP process(es). I tend to suggest checking your webserver configuration.