Page 1 of 1

Secure a directory using session variable

Posted: Wed Jan 04, 2006 11:49 am
by maxd
I have a client site which utilizes page-based authentication to control access to certain areas of the site. Once a user has successfully logged in, a session-variable is instantiated, like so:

Code: Select all

if ($valid_user)
	{   
    $_SESSION['adminauth'] = 1;
    $_SESSION['userlevel'] = "admin";
    $_SESSION['logname'] = $_POST['adminname'];
//    setcookie("username", $_POST['username'], time()+(84600*30));
//    echo "Access granted!";
//	ob_end_flush();
    }
The client is now adding some PDF documents to the secure areas of the site. I'm curious if there's a way to leverage my existing authentication system to secure the directory holding the documents to prevent direct URL access. I know I can control access to the PHP page which will list links to the documents, but someone could feasibly go to http://www.mysite.com/path/to/documents/document.pdf and access the files without authentication.

So, I wonder if I can leverage .htaccess and the session variable to control access to that directory.

Any help is greatly appreciated.

Max

Posted: Wed Jan 04, 2006 11:57 am
by John Cartwright
Your best bet is to keep your pdf documents outside of the document root to prevent anyone from directly linking these documents. Now, to access these documents, a downloading script should be utalized to grab the document via a header() call and do what you will with it..

The download script should check for the user permissions, in your case using session based authentication to determine whether or not the user is valid.

a good place to start looking is header()

Shared server

Posted: Wed Jan 04, 2006 12:25 pm
by maxd
Thanks for your quick reply, Jcart.

I think your solution is the best one, and reflects what I found in my research. Unfortunately, the site is on a shared server, and I'm not sure I'll be able to do anything outside of the www directory. I have posted a request to the hosting company to find out for sure, but our FTP dumps us straight into the webroot, and we don't appear to have the ability to move up from there. :(

If that is the case, are there any viable alternatives to resolve the problem?

Thanks again,
Max

Posted: Wed Jan 04, 2006 12:33 pm
by John Cartwright
You can still keep your documents inside a password protected directory, but I have limited knowledge about protecting directories with .htaccess, especially when trying to integrate it within session based authentication. Perhaps some one else can offer some insight on this.. but to address your question it still is possible ;)

I'll keep researching...

Posted: Wed Jan 04, 2006 4:50 pm
by maxd
Thanks, Jcart. I'll keep researching this, and if I find a solution, I'll post it.

Anyone out there have any ideas?

max :?: