Page 1 of 1

Folder protection???

Posted: Mon Mar 16, 2009 4:55 am
by mikenye
Hi all,

I have a website that uses php sessions and verisign for the security side of things, the site its self is a large database of PDFs....however we found that even though the pages were secure you can access the PDFs if you know the folder location?

eg: https://www.mikenye.co.uk/products/pdf_folder/main.pdf (example url not real)

Is there a way of adding session security to the holding folder?? Im stuck and arnt too sure how to do this. I know that this flaw renders the website useless.

Thanks for any help

Mike

Re: Folder protection???

Posted: Mon Mar 16, 2009 8:35 am
by jaoudestudios
you can use a .htaccess file.

This will give you a few options.

Re: Folder protection???

Posted: Mon Mar 16, 2009 11:16 am
by William
Look up mod_rewrite on Google if you're using Apache as your web server. It will allow you to rewrite the URL to lets say... a PHP file to do more authenticating. Baically you could make

Code: Select all

http://www.mydomain.com/files/blah.pdf
point to a PHP file that checks users authentication. If the user authenticates send the file to the user, else display an error or do whatever.

Re: Folder protection???

Posted: Wed Mar 18, 2009 8:40 am
by kaisellgren
Put the files outside the document root. Serve them through a PHP script.