protected documents on intranet

quichote

I made a site with protected pages using sessions and a database with the passwords. Seems to work well.

The webmasters use Frontpage to handle content.

Now they want to upload a Word document (e.g.) that people can download. So they put it in a subdirectory and make a hyperlink to that file on a protected php page.
So only people who log in see the link.

But.... once you know the link everyone can get access to the Word document. Doesn't matter if you are logged in or not.

How do I ensure only people who have logged into the intranet can actually get access to the Word document?

Don

yelvington

Don't let them do that.

Create a directory outside the web server document tree. Make it writable by the web server process.

Write an upload form and script. Return a generated link to a script of the form "/readfile.php?file=foo.doc" and let your webmasters use that URL.

In readfile.php, check for login, and if successful send an appropriate content-type header, then readfile("/path/to/files/foo.doc") .

quichote

need some more explanation if that's ok, because I'm not an expert yet.

I can make directory and make it writable. I can manage an upload script to put the document in that directory (and I guess I need to add a remove option too).

But I have 2 questions remaining:
1. I don't quite get the readfile.php idea. What is in the content-type header?
Can you give me an example?

Should that document directory be protected with .htaccess? And should readfile.php ensure the access?

Weedpacket

Originally posted by quichote
1. I don't quite get the readfile.php idea. What is in the content-type header?

That's the header in the server's response to say what sort of file is being sent. For HTML pages it's text/html; for JPEGs it's image/jpeg, and for Word documents it's application/ms-word. See the [man]header[/man] for more examples and usage.

2. Should that document directory be protected with .htaccess?

No need: it's outside the web document tree entirely - somewhere else in the filesystem away from anywhere a URL can get at - and an .htaccess file would be useless because the web server would never have cause to read it.

quichote

thanks!

I think I'm getting there, so let me summarise so you can check if I really understood it:
- make a directory on the server that is off the /web folder (where my php files are). This ensures that with a browser you cannot reach it. I'll also ask my provider where to best do that.
- upload the Word document into that folder (I guess by clearly identifying the total path - I assume you can reach it that way).
- on the protected page make a link to the file. Not directly, but via readfile.php?file=test.doc
- in readfile do an extra check to see if person is logged in (using sessions) and if so send a header and a readfile to the document.
- removing the file also via a php script.

Is this the idea?

Don

PS this will be the first time of course, but as long as I got the idea I think I can manage with all the other help around on internet.

Weedpacket

One thing I'll point out from a security standpoint is this:

on the protected page make a link to the file. Not directly, but via readfile.php?file=test.doc

For the most part, right. The problem is that you are then faced with the need to check the value of $_GET['file'] to make sure it's (a) a valid file and (b) isn't a file someone shouldn't be trying to look at. There are two approaches available:

1)
When you upload the file to the directory (yes, you're right about that part - it's surprising how many people I meet here don't get the difference between a file name and a URL), add an entry for it in a suitable database table. If you're already using one, all the better. You do this for the sake of being able to give the document a distinct ID number. Use that ID number in the links. That way, only files that are registered in that table can be accessed.

2)
Maybe simpler, but (possibly) more riskier; examine the name of the file asked for, make sure that it doesn't contain / or \ or any other such filesystem navigation stuff (otherwise someone could ask for any file on the system), and then check to see that the file asked for actually is in the document directory. One drawback to this approach though is potentially messy URLs as documents with all sorts of weird and wacky filenames are uploaded.

In either case, I should have mentioned that you probably also want to send the name of the document in the headers (see that manual page again), so that someone downloading it gets the right name to save it under.

quichote

I think I can manage the first approach with the table. Done that before, but then saving pdf files in a subdirectory within the tree.

I'll give it an ID and save it in a mySQL table.

I'll give it a try. Now it's a matter of just doing it and seeing what happens.

Thanks for your great help. :p
Don