Directly viewing unauthorised files by url
Posted: Wed May 31, 2006 1:20 pm
Hello everyone.
I have a problem with my current project and i really hope someone could shed some light on how to rectify.
Currently i have a section for clients who can login and download files in a specific folder.
for example there will be 50 folders client_1 to client_50.
if their session userid once logged in is 1 then they have access to client_1 files and no other, this is all working fine from the interface side of things, however if client 1 wanted to view client 6's files, they can still do so by bypassing the website and entering a file url in directly...
i have secured the folder itself by .htacess so they cannot type in...
http://www.mysite.com/files/client_6/
that would redirect them back to an appropriate page.
but a direct url such as
http://www.mysite.com/files/client_6/image.jpg
would display the image.
What measures can i take to ensure this is no longer possible?
I would really appreciate some advice. Thanks all.
Phase
I have a problem with my current project and i really hope someone could shed some light on how to rectify.
Currently i have a section for clients who can login and download files in a specific folder.
for example there will be 50 folders client_1 to client_50.
if their session userid once logged in is 1 then they have access to client_1 files and no other, this is all working fine from the interface side of things, however if client 1 wanted to view client 6's files, they can still do so by bypassing the website and entering a file url in directly...
i have secured the folder itself by .htacess so they cannot type in...
http://www.mysite.com/files/client_6/
that would redirect them back to an appropriate page.
but a direct url such as
http://www.mysite.com/files/client_6/image.jpg
would display the image.
What measures can i take to ensure this is no longer possible?
I would really appreciate some advice. Thanks all.
Phase