Hello everyone.
I have a problem with my current project and i really hope someone could shed some light on how to rectify.
Currently i have a section for clients who can login and download files in a specific folder.
for example there will be 50 folders client_1 to client_50.
if their session userid once logged in is 1 then they have access to client_1 files and no other, this is all working fine from the interface side of things, however if client 1 wanted to view client 6's files, they can still do so by bypassing the website and entering a file url in directly...
i have secured the folder itself by .htacess so they cannot type in...
http://www.mysite.com/files/client_6/
that would redirect them back to an appropriate page.
but a direct url such as
http://www.mysite.com/files/client_6/image.jpg
would display the image.
What measures can i take to ensure this is no longer possible?
I would really appreciate some advice. Thanks all.
Phase
Directly viewing unauthorised files by url
Moderator: General Moderators
- Christopher
- Site Administrator
- Posts: 13596
- Joined: Wed Aug 25, 2004 7:54 pm
- Location: New York, NY, US
load the image inside your php script
psuedo code:
This way, you can store your images outside of the webroot so people can't access them through the direct url. Then you'd have a way of showing it to valid users by using the url image_validating_script.php?image=image.jpg
psuedo code:
Code: Select all
if(session is valid && user is valid)
{
readfile('image.jpg');
}Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
- Maugrim_The_Reaper
- DevNet Master
- Posts: 2704
- Joined: Tue Nov 02, 2004 5:43 am
- Location: Ireland