Protecting Files for Members Only

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
curseofthe8ball
Forum Commoner
Posts: 73
Joined: Sun Jun 01, 2003 12:33 am

Protecting Files for Members Only

Post by curseofthe8ball »

We have a site for a client which has a members-only portion to it. Inside the members-only section they have the ability, through a custom-CMS we built with PHP/MySQL, to add content, upload files, etc. The members-only section was original developed to just be a place for the client to post some info that the members could read but now they want the ability to upload documents for only members to view. They used the functionality we originally gave them and tested the URLs to the files and sure enough they were able to download the documents/pdfs without being logged in. The original scope didn’t call for the files to be secure but that now has changed.

I’m looking for some help to make these documents/photos they upload through the CMS for the members-only section to be secure, meaning only those members logged into the system can view them. Any thoughts as to the best practice to accomplish this? We are working in a PHP/MySQL environment. I originally thought we could lock down directories with htaccess but that would require a double-login for the members and there is no way to feed the htaccess file with the usernames/passwords that get setup/changed for each member (unless htaccess can be connected to the MySQL database?).

We are willing to pay for this assistance.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Protecting Files for Members Only

Post by Mordred »

You need a proxy script that would check credentials, determine mimetype, output the correct headers and then readfile() the file in question.
curseofthe8ball
Forum Commoner
Posts: 73
Joined: Sun Jun 01, 2003 12:33 am

Re: Protecting Files for Members Only

Post by curseofthe8ball »

Mordred,

Thanks for the reply. I think I've got the basic idea of what needs to be done for files but how would you handle images in terms of displaying them on a page via HTML, behind a login script from a htaccess protected folder.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Protecting Files for Members Only

Post by Mordred »

You would use header() to "lie" that what you return is an image.
Post Reply