protect access to documents in a directory

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
itp
Forum Commoner
Posts: 67
Joined: Fri Jun 15, 2007 6:50 am

protect access to documents in a directory

Post by itp »

Users can currently access word and excel documents in a directory on the server open to the net.

Users can log in and view a page generated with php containing href's that point to specific documents that they should be using. This page is generated based on their territory and products group sold. This program is protected by username & password which is validated by an entry in an mySQL table.

However, users have discovered that they can bookmark the documents individually and return to then directly.
Management wants to avoid this bookmarking. They want users to either download documents or go through program each time.

I don't want to add a second layer of login/password to access specific directory or files. What are possible strategies here?

Is is possible to lock down the directory except when accessed through the php program?

I hope I am making myself clear.
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Post by pickle »

As far as I know, you have 2 options:
  1. You can set up an .htaccess file so that the HTTP_REFERER header must match your domain. This will work most of the time, but there are browsers setup to not send HTTP_REFERER headers. However, if this is an internally controlled environment & you've set up all the browsers, go with this option.
  2. Don't link directly to an .xls, or .doc file or what have you. Link to a PHP file. Have the PHP file act as the actual document & readfile() the requested document if and only if the user is coming from the PHP file you generated (you can check this by requiring a specific POST value or something).
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

I like pickle's second suggestion. I would also recommend moving the files from their current location on the web server into a directory outside of the web server, then give that directory read privilege for the web server user so that there is not chance on stumbling across the files through a URL unless the URL is the one the user is supposed to use.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Placing an .htaccess file in the directory that denies all incoming requests alleviates the need to move the directory out of the web root tree. Some hosts support this easier/more than allowing PHP to access data outside the web root.
Post Reply