Folder protection???

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
mikenye
Forum Newbie
Posts: 3
Joined: Mon Nov 17, 2008 9:15 am

Folder protection???

Post by mikenye »

Hi all,

I have a website that uses php sessions and verisign for the security side of things, the site its self is a large database of PDFs....however we found that even though the pages were secure you can access the PDFs if you know the folder location?

eg: https://www.mikenye.co.uk/products/pdf_folder/main.pdf (example url not real)

Is there a way of adding session security to the holding folder?? Im stuck and arnt too sure how to do this. I know that this flaw renders the website useless.

Thanks for any help

Mike
User avatar
jaoudestudios
DevNet Resident
Posts: 1483
Joined: Wed Jun 18, 2008 8:32 am
Location: Surrey

Re: Folder protection???

Post by jaoudestudios »

you can use a .htaccess file.

This will give you a few options.
User avatar
William
Forum Contributor
Posts: 332
Joined: Sat Oct 25, 2003 4:03 am
Location: New York City

Re: Folder protection???

Post by William »

Look up mod_rewrite on Google if you're using Apache as your web server. It will allow you to rewrite the URL to lets say... a PHP file to do more authenticating. Baically you could make

Code: Select all

http://www.mydomain.com/files/blah.pdf
point to a PHP file that checks users authentication. If the user authenticates send the file to the user, else display an error or do whatever.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Folder protection???

Post by kaisellgren »

Put the files outside the document root. Serve them through a PHP script.
Post Reply