We have a site for a client which has a members-only portion to it. Inside the members-only section they have the ability, through a custom-CMS we built with PHP/MySQL, to add content, upload files, etc. The members-only section was original developed to just be a place for the client to post some info that the members could read but now they want the ability to upload documents for only members to view. They used the functionality we originally gave them and tested the URLs to the files and sure enough they were able to download the documents/pdfs without being logged in. The original scope didn’t call for the files to be secure but that now has changed.
I’m looking for some help to make these documents/photos they upload through the CMS for the members-only section to be secure, meaning only those members logged into the system can view them. Any thoughts as to the best practice to accomplish this? We are working in a PHP/MySQL environment. I originally thought we could lock down directories with htaccess but that would require a double-login for the members and there is no way to feed the htaccess file with the usernames/passwords that get setup/changed for each member (unless htaccess can be connected to the MySQL database?).
We are willing to pay for this assistance.
Protecting Files for Members Only
Moderator: General Moderators
-
curseofthe8ball
- Forum Commoner
- Posts: 73
- Joined: Sun Jun 01, 2003 12:33 am
Re: Protecting Files for Members Only
You need a proxy script that would check credentials, determine mimetype, output the correct headers and then readfile() the file in question.
-
curseofthe8ball
- Forum Commoner
- Posts: 73
- Joined: Sun Jun 01, 2003 12:33 am
Re: Protecting Files for Members Only
Mordred,
Thanks for the reply. I think I've got the basic idea of what needs to be done for files but how would you handle images in terms of displaying them on a page via HTML, behind a login script from a htaccess protected folder.
Thanks for the reply. I think I've got the basic idea of what needs to be done for files but how would you handle images in terms of displaying them on a page via HTML, behind a login script from a htaccess protected folder.
Re: Protecting Files for Members Only
You would use header() to "lie" that what you return is an image.