Security discussion for members only area

passagewds

I would like to start a discussion on what would be the best method to approach a problem that seems simple, but I am not aware of the best approach.

I have a system that allows an administator to control access to a members only area. It uses basic database authorization and control.

The problem is that there is a PDF in the section that I want to restrict to the members only. If I don't htaccess protect the directory that the pdf is in then it is vulnerable to direct access because the php security for normal pages won't protect a pdf file the same way. So to get around the problem I put up a page (members only view) that shows the username and password to put into the htaccess prompt to get access to the file.

My question is, is this an acceptable method of providing security for pdf's within a members only area?

Michael

planetsim

well yes i believe so however it also depends what is the PDF file used for.

passagewds

The PDF's are articles put up by members.

I need it to protect all pdf's regardless of content.

drawmack

a couple things

1) htaccess sends the passwords in plaintext, so you are volnerable to packet sniffing when using it

2) if you want security force an https connection, I posted the code for this yesterday in the md5 or not thread

3) putting the password where you have is a very bad method of access management as if someone gets into the members area they will get the password

4) get the files out of the web root and write a php script that uses fopen to read the files in and send them down to the user. This way you can put all the normal php security measures in place on that file and they can't directly access the pdfs

5) it might do you well to put the pdfs in the database. There is an article on how to do this here: http://www.onlamp.com/pub/a/php/2000/09/15/php_mysql.html

passagewds

in reference to #4....

I want to know if I understand you correctly.... a person could call a script that fopen a pdf file?

drawmack

yuppers, then you just read the file in and spit it back out with the appropriate headers. It's a lot like the tutorial I posted a link to except you use an actual file instead of doing it from the database.

passagewds

I have managed to get this problem partly resolved by using the following.... but IE still reads garbage... Netscape works fine.

Any ideas on what to do to fix the IE problem?

<?php
	$filename="letter.pdf";
    $filepath="../articles/letter.pdf";

$filesize=filesize($filepath);

header("Pragma: public");
header("Expires: 0"); // set expiration time
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");

header("Content-Type: application/pdf");
header("Content-Length: $filesize)";
header("Content-Disposition: inline; filename=$filename");
header("Content-Transfer-Encoding: binary");

//use fopen() instead of readfile...
$fp = fopen($filepath, 'rb');
$pdf_buffer = fread($fp, $filesize);
fclose ($fp);

print $pdf_buffer;

exit();

?>

j8h9x

Has anyone ever been able to get this to work in IE? I need a solution for securing pdfs...

itaym02

//Download file
if(ob_get_contents())
	die('Some data has already been output, can\'t send PDF file');

if(isset($_SERVER['HTTP_USER_AGENT']) &&           

                strpos($_SERVER['HTTP_USER_AGENT'],'MSIE'))
	header('Content-Type: application/force-download');
else
	header('Content-Type: application/octet-stream');

header('Content-Length: '.strlen($this->buffer));
header('Content-disposition: attachment; filename="'.$name.'"');
echo $this->buffer;

NogDog

Try sending it as an attachment instead of "inline":

<?php
header('Content-Length: '.$fileSize);
header('Content-Type: '.$mimeType);
header('Content-Disposition: [color=red][b]attachment[/b][/color]; filename="'.$fileName.'"');
header('Content-Transfer-Encoding: binary');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');

j8h9x

I just got back to this and will try when I arrive home tonight... Thank you.

joebob

Yes, this is how I do it. Just make sure to put the protected file outside of the public web directory!