how to enfore security on non-php files?

aboyd

I have a PHP page which, using sessions, checks a person's security level, and then only displays the Word and Acrobat files that the person is cleared to see. This seemed like fine security at first, but I have found a problem. A manager can see lots of files most people can't. Say a manager right-clicks a link to a file, copies the URL, and emails the URL to an employee. That employee directly accesses the Word or Acrobat file, bypassing the "secure" PHP page. Suddenly my security fails.

How do you guys deal with this issue? I think a couple alternatives might be to use "chown" and "chgrp" to secure files at a server level, or else to filter everything through a PHP page -- but how do I know what "Content-type" header to send? Do I maintain a list of every file extension used and the header that goes with it? Or can I leverage something else?

Anon

This tip may help:
http://phpbuilder.com/tips/item.php?id=5

[deleted]

Simple: make your script look for a piece of authorisation data in the session, or set a cookie on the client when he logs in.
When he requests a document, you check if the cookie is there. No cookie? No file!
You can add all sorts of other things, like checking the client's IP, browsertype etc. If anything doesn't match, refuse the file.

roel_v

Yeah, these nasty managers always find ways to circumvent security ROTFLMA.
Anyway, you can move these files out of the document root, and have a page callet get_file or something. Then you link to this page like get_file?filename=report.doc, and in this file you check for security clearance; if it's ok, you send them the file like explained in the link in Chauncey's reply.

Anon

but there still is the problem guys...

if the user manages to find out the link to the file they could still access the file directly anyway