Users can currently access word and excel documents in a directory on the server open to the net.
Users can log in and view a page generated with php containing href's that point to specific documents that they should be using. This page is generated based on their territory and products group sold. This program is protected by username & password which is validated by an entry in an mySQL table.
However, users have discovered that they can bookmark the documents individually and return to then directly.
Management wants to avoid this bookmarking. They want users to either download documents or go through program each time.
I don't want to add a second layer of login/password to access specific directory or files. What are possible strategies here?
Is is possible to lock down the directory except when accessed through the php program?
I hope I am making myself clear.
protect access to documents in a directory
Moderator: General Moderators
As far as I know, you have 2 options:
- You can set up an .htaccess file so that the HTTP_REFERER header must match your domain. This will work most of the time, but there are browsers setup to not send HTTP_REFERER headers. However, if this is an internally controlled environment & you've set up all the browsers, go with this option.
- Don't link directly to an .xls, or .doc file or what have you. Link to a PHP file. Have the PHP file act as the actual document & readfile() the requested document if and only if the user is coming from the PHP file you generated (you can check this by requiring a specific POST value or something).
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
I like pickle's second suggestion. I would also recommend moving the files from their current location on the web server into a directory outside of the web server, then give that directory read privilege for the web server user so that there is not chance on stumbling across the files through a URL unless the URL is the one the user is supposed to use.