Forbidding access to a directory.

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Forbidding access to a directory.

Post by JellyFish »

How do I forbid access to a specific directory on my web server? I have a bunch of videos located in a directory on my server that I want to allow only members of my site to be able to view. I'm authenticating members with PHP sessions, and I want the videos to be accessible only through a PHP page with this authentication.

I appreciate any assistance on this.

Thanks for reading.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Research the htaccess control of allow and deny. Note: this only limits HTTP requests.
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Post by JellyFish »

I googled "htaccess forbidding directory" and found that if an .htaccess file has this statement:

Code: Select all

deny from all
then all files in the same directory as the .htaccess file will be forbidden access to everyone. It doesn't appear to have any effect on my directory at all. Am I doing something wrong?
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Sounds like htaccess might be disabled for you. Is your webhost using Apache?

The alternative is to place the videos beneath the web directory, and then serve them using a PHP script. This is not very efficient though, and might cause your hosting company to complain about zombie PHP processes.
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Post by JellyFish »

I'm sure htaccess is enable for me(I once used it for password auth...).
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Try capitalizing Deny.
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Post by JellyFish »

That didn't do it either. Is it that I misspelled the file extension: .htaccess?

Does "Deny from all" not deny access to the all of the directory's files and subdirectories?
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

That didn't do it either. Is it that I misspelled the file extension: .htaccess?
Nope, it's correct.
Does "Deny from all" not deny access to the all of the directory's files and subdirectories?
That's what it should do.

Does your server have mod_access? Also, try putting gibberish into the htaccess file and see if you get a 500 error.
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Post by JellyFish »

I got the 500 error.

How do I tell if my server mod_access?
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

<IfModule mod_access>
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Post by JellyFish »

Could it be that my file only consist of:

Code: Select all

Deny from all
?

EDIT: Also when I change my file to:

Code: Select all

<IfModule mod_access>
Deny from all
I get an Internal Server Error
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

No, I've used that plenty of times before and it invariably works. Ask your host if mod_access is enabled.
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Post by JellyFish »

Okay I contacted my hostie and found out that it is enable and that, for some WEIRD reason, it works but when I go to try accessing it on this computer it doesn't... weird.

I tested on my other computers and it works. Why on this computer would it have access? :dubious:

EDIT: It was my cache. :banghead:
Last edited by JellyFish on Fri Jun 29, 2007 8:34 pm, edited 1 time in total.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Mmm... try clearing your browser cache?
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Post by JellyFish »

Ambush Commander wrote:Mmm... try clearing your browser cache?
Exactly. Well, thanks for all help peoples. :D

This would protect people from downloading or viewing the files in the directory as the .htaccess, but not restrict the files from being viewed with and mp3 player for example, right?

EDIT: In other words, it's secure?
Post Reply