Secure a directory using session variable

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
maxd
Forum Commoner
Posts: 41
Joined: Sun Dec 04, 2005 12:12 am
Location: Denver

Secure a directory using session variable

Post by maxd »

I have a client site which utilizes page-based authentication to control access to certain areas of the site. Once a user has successfully logged in, a session-variable is instantiated, like so:

Code: Select all

if ($valid_user)
	{   
    $_SESSION['adminauth'] = 1;
    $_SESSION['userlevel'] = "admin";
    $_SESSION['logname'] = $_POST['adminname'];
//    setcookie("username", $_POST['username'], time()+(84600*30));
//    echo "Access granted!";
//	ob_end_flush();
    }
The client is now adding some PDF documents to the secure areas of the site. I'm curious if there's a way to leverage my existing authentication system to secure the directory holding the documents to prevent direct URL access. I know I can control access to the PHP page which will list links to the documents, but someone could feasibly go to http://www.mysite.com/path/to/documents/document.pdf and access the files without authentication.

So, I wonder if I can leverage .htaccess and the session variable to control access to that directory.

Any help is greatly appreciated.

Max
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Your best bet is to keep your pdf documents outside of the document root to prevent anyone from directly linking these documents. Now, to access these documents, a downloading script should be utalized to grab the document via a header() call and do what you will with it..

The download script should check for the user permissions, in your case using session based authentication to determine whether or not the user is valid.

a good place to start looking is header()
maxd
Forum Commoner
Posts: 41
Joined: Sun Dec 04, 2005 12:12 am
Location: Denver

Shared server

Post by maxd »

Thanks for your quick reply, Jcart.

I think your solution is the best one, and reflects what I found in my research. Unfortunately, the site is on a shared server, and I'm not sure I'll be able to do anything outside of the www directory. I have posted a request to the hosting company to find out for sure, but our FTP dumps us straight into the webroot, and we don't appear to have the ability to move up from there. :(

If that is the case, are there any viable alternatives to resolve the problem?

Thanks again,
Max
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

You can still keep your documents inside a password protected directory, but I have limited knowledge about protecting directories with .htaccess, especially when trying to integrate it within session based authentication. Perhaps some one else can offer some insight on this.. but to address your question it still is possible ;)
maxd
Forum Commoner
Posts: 41
Joined: Sun Dec 04, 2005 12:12 am
Location: Denver

I'll keep researching...

Post by maxd »

Thanks, Jcart. I'll keep researching this, and if I find a solution, I'll post it.

Anyone out there have any ideas?

max :?:
Post Reply