help with client login script please!

facelessface

This is probably a very simple question, but here goes:

I'm writing a client login script using PHP - how it is going to work is this:
1. usual will login via a login form using PHP
e.g. www.mysite.com/admin/
2. this will take the user to a page which lists all files in a certain directory - with links for them to download

This works fine.. The only problem i have is that there is nothing to stop the user typing the URL to the downloadable file in their browsers, thus bypassing my security!! e.g. by typing in www.mysite.com/admin/files/picture1.jpg

Any ideas of a simple solution to this?? Can i somehow use CHMOD to only allow access to the files using a PHP script?

Mike

Blulagoon

You can create a .htaccess file for the files directory, which will prevent this from happening.

Something like this should do the trick:

Order allow,deny
deny from all

HTH - Blu

Assuming you are working with Apache.

facelessface

Blulagoon wrote:
You can create a .htaccess file for the files directory, which will prevent this from happening.

Something like this should do the trick:

Order allow,deny
deny from all

HTH - Blu

Assuming you are working with Apache.

OK - but is there a way to prevent the 'pop-up' username/password box appearing if you've already logged in through my PHP script? Or is the password required box going to pop up each time they request a file

Blulagoon

If you search for htaccess in google you'll find the syntax for adding usernames and passwords.

Blu

etully

What you want to do is write a PHP script that serves up the files. Let's say the script is called get_file.php. So the link to picture1.jpg looks like this:

http://www.mypage.com/get_file.php?file=12

Then the logic of get_file.php looks like this:
1. Check cookie to see if user is logged in.
2. If no, send them to the login page.
3. If yes, then figure out which file they are trying to see.
4. From the URL, $file = 12 so look that up in an array or a database.
5. you determine that file #12 is picture1.jpg.
6. Print out content headers for JPG.
7. Read and output the contents of picture1.jpg

This way, there is no .htaccess pop up. And you have 100% control over their ability to retrieve the file. (Of course, they could still save, copy, and republish the file so it's not perfect protection, but it does prevent them from loading the file from your site unless they are logged in).

facelessface

etully wrote:
What you want to do is write a PHP script that serves up the files. Let's say the script is called get_file.php. So the link to picture1.jpg looks like this:

http://www.mypage.com/get_file.php?file=12

Then the logic of get_file.php looks like this:
1. Check cookie to see if user is logged in.
2. If no, send them to the login page.
3. If yes, then figure out which file they are trying to see.
4. From the URL, $file = 12 so look that up in an array or a database.
5. you determine that file #12 is picture1.jpg.
6. Print out content headers for JPG.
7. Read and output the contents of picture1.jpg

This way, there is no .htaccess pop up. And you have 100% control over their ability to retrieve the file. (Of course, they could still save, copy, and republish the file so it's not perfect protection, but it does prevent them from loading the file from your site unless they are logged in).

Thanks. This looks like what i'm looking for. But surely the files WILL still need to be stored somewhere on the server? So if someone guesses where they are stored - they could still gain direct access to them - by typing the URL into the web browser?

etully

Right! This is why most hosting companies (good ones, anyway) give you an htdocs directory. (Sometimes called "html", "www", "public_html", or something like that). Anything inside the htdocs directory can be pulled up with a web browser. You can create a directory that exists outside the htdocs directory. Your get_file.php script can read from that directory but a web browser cannot.

You are correct to worry about people guessing where the files are located. You also have to worry about the disgruntled ex-employee. When your company grows to 300 people, you will eventually have someone leave on bad terms. They could tell all their friends, "The files are located in a directory called "secret19283745jdcncjdjkejfl.t" and your security would be broken. By storing the files in a directory outside the htdocs directory, even the disgruntled ex-employee can't give away your secret because the files simply can't be accessed by a web browser (except through get_file.php and the right user/pass, of course).

Blulagoon

I think what etully is saying is you put the .htaccess in your files folder, then use the php file to serve the files which avoids .htaccess generating the pop up you were complaining about. Does this make sense to you ?

Blu

Edit: Etully posted whilst I was writing. Placing the files outside of the htdocs directory, if you have that option, is ofcourse the best way to protect them, but failing that .htaccess would be second best.

edwardp

i use a mysql database with a table with usernames and password (use password encyption required when going live!). and use php sessions

Then basically run an sql query from a form (to post the data) that returns all usernames and passwords supplied (should only be one) if the username and password exist in the same record, register the username variable or session_id and then on each page/script in the 'member' area put this code in


session_start();
if(!session_is_registered(myusername)){

//return the user to login screen

}else{

   //page detail if allowed to see page

}

etully

Ah yes. Blulagoon is right. Outside is best. And .htaccess is a very good second because the only people who would see the .htaccess pop-up are the ones who are trying to beat the system. Regular customers trying to view the files through get_file.php would be accessing that script in a directory that doesn't have the .htaccess file so they wouldn't get any .htacess pop-up. The get_file.php script can read the files from the .htaccess protected directory without triggering the pop-up. Good point.

facelessface

etully wrote:
Ah yes. Blulagoon is right. Outside is best. And .htaccess is a very good second because the only people who would see the .htaccess pop-up are the ones who are trying to beat the system. Regular customers trying to view the files through get_file.php would be accessing that script in a directory that doesn't have the .htaccess file so they wouldn't get any .htacess pop-up. The get_file.php script can read the files from the .htaccess protected directory without triggering the pop-up. Good point.

Thanks guys - i'll try this tonight

Mike