Alternate Headers with SSI and PHP

Question

I have two headers: one to display for a logged in user, and one to display when logged out/not a member. I also have a footer that should be duplicated on each page.I had the idea to use SSI to include the header and footer.

As of now, we haven't started much server-side processing, and thus don't keep track of logged in/logged out users. As such, for now, I just want to use the page that is including the header to determine which to display. I had the idea to use a PHP file as the header instead of an SHTML file, so I could do some processing to determine which header to show.

So is it possible to determine which page is calling the include with PHP?

Am I going about this all wrong? If so, what solution is more appropriate?

For example, each html page fits this general layout:

<html>
<header>
    <!-- relevant header calls -->
<header>
<body>
    <div id="body">
        <!--#include virtual="header.php"-->
        <!-- actual page content -->
    </div>
    <!--#include virtual="footer.shtml"-->
</body>
</html>

And in header.php I want something like:

<?php
if(/*page is a non-logged in page*/){
    echo(/*logged out header*/);
} else {
    echo(/*logged in header*/);
}
?>

Answer 1

So is it possible to determine which page is calling the include with PHP?

No idea. But if it is possible it will be via $_SERVER. Put this in your header.php for testing:

<?php
echo '<pre>';
print_r($_SERVER);
echo '</pre>';

However, if the page is being requested as *.html with Server-Side Includes I can't even begin to predict what kind of havoc this is going to play with PHP Sessions. I have doubts that session_start() will ever be able to set proper headers in this context, or if the PHP session cookie will ever be sent to the client or be passed through SSI back to PHP.

As far as I am aware/concerned SSI should only ever be used to include static content or dynamic content that does not rely on any sort of interaction with the user, including something as basic as if they're logged in or not. SSI is a kludge between static and dynamic pages and should be referred to as "kinda-sorta-dynamic-but-not-really".

Short answer: SSI is going to be a massive pain in the ass, ditch it and just use PHP include().

Edit: Your page would look something like this at the most basic level, and is not really any more complex than using SSI. If you took a more MVC-oriented approach [namely the C and V parts] it would become more manageable:

<?php
session_start();
// other initialization
?><html>
<head>
    <!-- relevant header calls -->
<head>
<body>
    <div id="body">
        <?php
if($_SESSION['is_logged_in']){
    echo(/*logged out header*/);
} else {
    echo(/*logged in header*/);
}
?>
        <!-- actual page content -->
    </div>
    <?php include("footer.php"); ?>
</body>
</html>

Answer 2

For the sake of ease in programming it's best to use one or the other. It's best to go with PHP exclusively because:

1. Massive support community at php.net
2. In most implementations it's faster than using the SSI because PHP is designed to do all of the processing and parsing of PHP code, whereas an SSI has to read your SHTML page (after it's written) and sift between comments and includes, then include all of the components.
3. If you're including PHP pages as SSIs you're making Apache wait on PHP, whereas if you were using PHP alone it would have already delivered the page.
4. You can do things with databases and a lot more with PHP.
5. PHP pages can't be accessed from the server without being processed, so there is less risk of someone exploiting your code vulnerabilities if you're using standard practices.
6. SSIs are plainly readable as code (and very limited).

You can include an SSI with PHP if you're running PHP as an Apache Module, using the function virtual(), but why would you want to? You can include() just about anything into PHP.

Example

I'm going to use an account management site as an example. To make the header dynamic you'll need to find the $var for the page calling it (I'm going to use $_SERVER['REQUEST_URI']). There are several reserved server variables in PHP that you can reference to make calls depending on circumstances. So let's say the authorized directory where all logged in pages go is called "auth" your common shell file might look like this:

<?php
//Check for the page the person is asking for
session_start();

$root = $_SERVER['DOCUMENT_ROOT'];

//Check for the "auth" directory
if(preg_match('!^/?auth!',$_SERVER['REQUEST_URI'])){
    //Do some check to see if they've been authenticated... this one is not secure, but you get the idea
    if($_SESSION['logged_in']){
     //Require the correct header
      require_once($root.'/includes/logged-in-header.php');
    } else {
//They don't belong or they're not logged in, kick them back to the login page.     
 header("Location: /login.php?e=1");
 die();     
    }
} else {
//It's not an authorization required page, so show the standard header.
 require_once($root.'/includes/non-auth-header.php');   
}

//let's find out the page that's loading the shell.
$pageName = preg_replace('!/([^/]+)$!',"$1",$_SERVER['SCRIPT_NAME']);

switch($pageName){
    /*Auth pages*/

    case "billing.php":
    require_once($root.'/includes/billing.php');
    break;

    case "account.php":
    require_once($root.'/includes/account.php');
    break;

    case "logout.php":
    require_once($root.'/includes/logout.php');
    break;

    default:
    //show the login page
    require_once($root.'/includes/login.php');

}
require_once($root.'/../shell.php');
require_once($root.'/includes/footer.php');


?>

So if you were in the auth directory and you were not logged in, you would get the homepage. If you're in the auth directory on the billing.php page and you are logged in, the site would load the billing page.

The auth/billing.php code might look like this:

require_once("$_SERVER['DOCUMENT_ROOT'].'/../shell.php');

The include/billing.php code would contain all of workings of the page and it can be formatted in HTML, but you'd probably pull that stuff from a database.