using PHP to limit access to files under apache

Anon

Hi all,

The problem is how to avoid unauthorized access to files (independent of type).
I have users loging-in from session-based system, so I can identify from PHP scripts whether the user is authorized or not.
But the problem comes when the file is not php scipt (i.e image file).

I have found recommendations to use .htaccess under apache. But there is a problem as it trigers a popup window for username/password, which I don't need as my users are authorized in a form-php combination.

I saw a post with a similar problem advising to use .htaccess file in the following way:
<Location /secure>
ForceType application/x-httpd-php
DefaultType application/x-httpd-custom
Action application/x-httpd-custom "/auth.php"
</Location>
which should call the auth.php to check authorization everytime a user requests a file. But it was said not to work properly.

Please tell me how to create correct .htaccess file or what could be some other solutions. (I have seen proposals to use javascript to avoid the popup window and php script that calls fopen("username:password@www.....com/secure"); to establish connection internally, but I didn't like those solutions as they are kind of ugly).

Jaak

Anon

If you find any solution to this problem could you let me know.

ive had the same problem for bout 3 weeks and still cant find a solution.

Cheers
Neil

Anon

I didn't find the solution I was originally looking for, but I found a different approach to restrict access to files.
The idea is to use php script to parse the file. The files are hidden from public access and user can get to the files through accessing a php-script (which has access to these specific files), for example following can be used:

<?
...authorization checking...
...finding whether the filename is ok (make sure that user isn't trying to access files that do not belong to him)...

if (!is_file($filename))
  die ("no such file");

header("Content-length: " .  filesize( $filename ) . "\n" );

$fp=fopen($filename, "r"); 
fpassthru($fp); 
?>


if you want to force the user's browser to download the file use following headers:
header("Content-Type: application/download\n");
header("Content-Disposition: attachment; filename=\"$filename\"\n"); 
header("Content-Transfer-Encoding: binary\n");
header("Content-length: " .  filesize( $filename ) . "\n" );


A comment about the url: if you want a fancy urls (i.e. www...com/files/file1.zip) you have to make the webserver to send request coming to /files/ to the php script and then in php script manually extract the filename from the url.

I hope this helped.