Protecting directories

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
olsonpm
Forum Newbie
Posts: 2
Joined: Fri Jun 11, 2010 9:35 pm

Protecting directories

Post by olsonpm »

I know this has been asked before, and I especially read through this article

viewtopic.php?f=34&t=95469&p=520725&hil ... es#p520725

however it doesn't seem to offer the advice I need.

My situation is this. I have some video files and other download links which I would like to be only accessible by logged in users. Right now I'm using wordpress as a means for storing the user information and restricting access to certain pages - it seems to be working out well using their plugins. However, I don't know how to stop people from using a direct URL to download the files from the public directory. Here are the two solutions I saw, and why they won't work for my situation.

1) store the files outside the root folder: I'm currently using godaddy's shared hosting service and when I looked up how to store outside the root directory, I found this information. "After you update your account in this way, it is important to remember that the root folder of your site still allows access to anonymous users, but not through a Web browser. It is possible that your site may allow users to access files stored in these directories. If you would like folders to be more secure, create a new virtual directory off of the site root and restrict its access." I think this is due to the fact that instead of storing it outside the root, you actually are just creating a new root below your domain name. I don't understand it all, and their response e-mail to me was of no help. I figured they are not as intelligible on the matter as this forum would be.

2) .htaccess: The reason this won't seem to work is because my users are already logged in. I do not want them to have to login again just to download/view the content. I figure there must be some smoother way to do things.

I searched around looking for ways to allow php to automatically feed a username/pass to bypass a .htaccess, but I couldn't find one at all.

I'm very new to php and web development (hence wordpress haha), but am very comfortable with programming. There seems to be some fundamental issue here that I'm not grasping, so any help would be much appreciated.

Phil
André D
Forum Commoner
Posts: 55
Joined: Thu Aug 28, 2008 7:03 pm

Re: Protecting directories

Post by André D »

Storing protected content outside the root folder is preferred, but you can achieve the same result with deny from all in a .htaccess file. The result is that you have a place to store files that Apache won't serve. The next step is to write a PHP script that checks if the user is logged in and he has access to the file. If so, the script sets the appropriate headers (Content-Type, Content-Length, etc.), and serves the file out using something like fpassthru() or readfile().

There are other ways to do it, but the above approach sounds like it might be best for your situation.
olsonpm
Forum Newbie
Posts: 2
Joined: Fri Jun 11, 2010 9:35 pm

Re: Protecting directories

Post by olsonpm »

Thanks so much for the reply. I will see what I can do the next couple days and let you know what I come up with.
Post Reply