preventing external access to directory

Re: preventing external access to directory

J C-W <j@no.spam.here .com> wrote:[color=blue]
> I have a directory with files (of various formats) contained within a
> website which uses PHP to control user access via session variables. I would
> like to protect the directory from direct external linking (e.g. prevent
> people typing "http://www.mysite.com/protected-directory/file.doc" into the
> address bar for example), so that users must log on to the website first to
> gain access to them. Currently, I've used a .htaccess file, but this[/color]
[...]

So you are using apache:
- move file out of the documentroot (or into a directory protected by
.htaccess)
- add a 404 handler to the protected-directory which points to a php
script which uses your normal authentication methods
- have this script serve the "protected" files, you'll need to set the
correct mime-type and http-status (eg 200) if the actual file can be
found

--

Daniel Tryba

Re: preventing external access to directory

J C-W wrote:
[snip][color=blue]
> but since Microsoft have
> prevented the use of username/password combinations within the URL in IE,
> this method is no longer viable.[/color]


<quote src="http://support.microso ft.com/kb/834489">

How to disable the new default behavior for handling user information in
HTTP or HTTPS URLs

To disable the new default behavior in Windows Explorer and Internet
Explorer, create iexplore.exe and explorer.exe DWORD values in one of
the following registry keys and set their value data to 0.

.. For all users of the program, set the value in the following
registry key:
HKEY_LOCAL_MACH INE\Software\Mi crosoft\Interne t
Explorer\Main\F eatureControl\F EATURE_HTTP_USE RNAME_PASSWORD_ DISABLE

.. For the current user of the program only, set the value in the
following registry key:
HKEY_CURRENT_US ER\Software\Mic rosoft\Internet
Explorer\Main\F eatureControl\F EATURE_HTTP_USE RNAME_PASSWORD_ DISABLE

</quote>

I haven't tested this.

[color=blue]
> Can anyone suggest an alternative solution
> or a way around the http authentication problem?[/color]

Maybe cookies? as recommended by the site above?
--
USENET would be a better place if everybody read: | to mail me: simply |
http://www.catb.org/~esr/faqs/smart-questions.html | "reply" to this post, |
http://www.netmeister.org/news/learn2quote2.html | *NO* MIME, plain text |
http://www.expita.com/nomime.html | and *NO* attachments. |

Re: preventing external access to directory

Thanks for the suggestion - this is kind of what I've done in the end - all
hyperlinks to protected files are served by a script which checks for site
authentication before delivering the file - found the following useful
script on another forum:

//authentication checking script first, then...
$dir = $_SERVER['C_DOCUMENT_ROO T'].'/protected/';
$file = $dir.basename($ _REQUEST['dl']);
if (isset($_REQUES T['dl']) && file_exists($fi le)) {
header('Content-type: application/force-download');
header('Content-Transfer-Encoding: Binary');
header('Content-length: '.filesize($fil e));
header('Content-disposition: attachment; filename='.base name($file));
readfile($file) ;
} else {
echo 'Either there was no file with that name for download, there was an
error, or your login session expired.';
}

Thus, if anyone tries to access the protected directory directly, a prompt
for a password is given, which should prevent all but the most tenacious
hacker (there's nothing worth that much effort in the directory anyway), and
if any registered user tries to copy the links to the files (in the form
http://www.mydomain.com/dl.php?dl=filename) and pass them onto a
non-registered user, entering the url into the browser will forward them to
the log in page.

I will add the 404 handler as per your suggestion too, just as an extra
safeguard.

J
--
-----Personal Disclaimer--------
Thanks to the explosion of abuse of email on the 'net,
I have taken to adding this disclaimer to all email. It's
not a legal statement, just a form of insurance. If you
get a message that appears to be from me, but it doesn't
have this disclaimer at the bottom, please treat it as
spam, as it has not originated from me.
-----End Disclaimer------
"Daniel Tryba" <news_comp.lang .php@canopus.nl > wrote in message
news:clo16s$1o4 $1@news.tue.nl. ..[color=blue]
>
> So you are using apache:
> - move file out of the documentroot (or into a directory protected by
> .htaccess)
> - add a 404 handler to the protected-directory which points to a php
> script which uses your normal authentication methods
> - have this script serve the "protected" files, you'll need to set the
> correct mime-type and http-status (eg 200) if the actual file can be
> found
>
> --
>
> Daniel Tryba
>[/color]

Re: preventing external access to directory

.oO(J C-W)
[color=blue]
>but since Microsoft have
>prevented the use of username/password combinations within the URL in IE,
>this method is no longer viable.[/color]

It was never allowed by any standard in HTTP URLs.

Micha

Re: preventing external access to directory

"Daniel Tryba" <news_comp.lang .php@canopus.nl > wrote in message
news:clo16s$1o4 $1@news.tue.nl. ..[color=blue]
> So you are using apache:
> - move file out of the documentroot (or into a directory protected by
> .htaccess)
> - add a 404 handler to the protected-directory which points to a php
> script which uses your normal authentication methods
> - have this script serve the "protected" files, you'll need to set the
> correct mime-type and http-status (eg 200) if the actual file can be
> found[/color]

Using PHP to serve file download isn't really the best solution, since you
lose the web server's cache handling and partial retrieval capability
(doable but tricky to implement yourself).

A cleaner way to protect files would be to use Apache rewrite. In give
someone access, you add an entry into a rewrite map with the PHP session ID
as the key. A rewriteCond statement would then extract the PHP session id
from HTTP_COOKIE, while a second rewriteCond would check whether the id is
in the rewrite map. If it's not, then the request is rewritten to an access
denied page.