Password protection and prevent download

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Juerg Beck
    #1

    Password protection and prevent download

    Hello all
    I'm completely new to php but a complete newbie when it comes to unix.
    So please don't laugh about my problem.

    I have programmed a nice password check with php, javascript and a
    database and it works. But as I have removed the access control with
    ..htaccess on the server I recognized that everybody can now directly
    download all documents without a password, as long as they know the
    filename and location.

    I assume that for any unix hacker it should not be a problem to find
    all filenames somehow.
    Is this true ? Have I opened a security hole on the server?
    If yes, how can I prevent it. And how can I protect some directories
    with sensitive data and only show it when somebody has properly
    entered his personal passsword.
    I mean is it possible to still use the .htaccess on some directories
    and grant access to this directory for those users that correctly
    identified itself, without having to enter another password ?

    thanks
    greets
    Juerg
    ** Posted from http://www.teranews.com **
    Tags: None
    • Sjoerd
      #2
      Re: Password protection and prevent download

      Juerg Beck wrote:
      I have programmed a nice password check with php, javascript and a
      database and it works. But as I have removed the access control with
      .htaccess on the server I recognized that everybody can now directly
      download all documents without a password, as long as they know the
      filename and location.
      Suppose your files are in http://www.example.org/files/. If your server
      is configured to show a directory index, it will show a list of files
      when someone requests http://www.example.org/files/. This is not what you
      want, so you could turn of directory index for that directory. That will
      make it very hard for any visitor to get a list of files.

      Another way to get a list of files is when someone has access to your
      server. For example, if you host your site on a shared host, other people
      using the same host may be able to get a list of files.

      Finally, someone may just guess the filename or pass the URL on to
      friends and family.

      What you really want is that people can only the files through your
      script, and can not pass the URL around.

      To do this, you put your files outside of your document so that they are
      no longer accessible through http://www.example.org/files/ or any other
      URL. To access the file, you make a PHP script which first checks the
      password and then serves the file. This makes downloading the file
      without the password impossible.

      It goes something like this:
      <?php
      $pass = $_POST['password'];
      if ($pass == 'supersecret') {
      $file = 'protectedfile. mp3';
      // Set some headers to indicate that the user is downloading
      // a file
      header('Content-type: binary/octet-stream');
      header('Content-disposition: attachment; filename='.$fil e);
      header('Content-length: '.filesize($fil e));

      // Pass the file to the visitor.
      readfile($file) ;
      } else {
      echo 'Wrong password.';
      }
      ?>

        Comment

        Previous template Next
        Working...