I am writing a development area for my clients to view their sites as I work on them. However, I'd like to restrict the directory of a given project to only users who are associated with that project. I'm looking for a way to create a "wrapper" so to speak, that wraps around all items in a project directory, and only allows users to view the directory if it is their project.

I was thinking of using frames as the wrappers. While this would prevent the directory from showing up in the address bar, it wouldn't prevent anyone else who knows the directory from accessing the project. Is there a way I can make sure no one can access the directories unless they go through my frames? Or does anyone have another suggestion?

Thanks in advance.

- EF

I wanted to avoid the .htaccess route 'cause it doesn't look very nice. Plus I want to include the development page in a frame within my site, so I can offer options alongside.
Normally I could just add a snippet at the top of each page that checks if the user is logged in using sessions. But if I'm working on something like WordPress I'm not sure this solution would work, may interfere with WP's sessions.

Well regardless whether you put the WP site in a frame or not the session gets tied into the browser so if a customer authenticated to your system and then was able to see their WP site and could authenticate to it that should be fine.

commented: Confirmed what I was thinking. +2

True. That's pretty much what I'm going to go with. Add a snippet to check their session, and kick them out if they're not logged into my system.

if($_SESSION['loggedin'] != true)
	header("Location: http://www.mydomain.com/");

Or something along those lines.

I was concerned that session_start() would conflict with WordPress, but as it turns out WordPress itself doesn't use sessions at all! The only area that may cause a conflict is in the case of plugins that utilize sessions, but there's ways to prevent problems there using WP hooks.

Thanks for your input, pixelsoul.

I may be wrong (never tried or tested it) but I don't think it would matter if you had a session in your app and Wordpress set its own session because they are separate, especially if you gave yours a session name. I would actually have to test that one out my self to really know if it was possible or not.