/    Sign up×
Community /Pin to ProfileBookmark

Folder/directory security using sessions

Copy linkTweet thisAlerts:
Jan 20.2016

Hi all,

I have created a mini website which uses sessions for a login. I have a folder which has various documents in it which users can access however I don’t want anything to be accessed unless they are logged in.

Any ideas how I can do this?

I’m guessing something to do with htaccess file checking against a php file but not sure. Any working examples available?

Thanks in advance

to post a comment
PHP

10 Comments(s)

Copy linkTweet thisAlerts:
@ginerjmJan 20.2016 — Well, you could just place the docs in a folder outside of the web tree so that one has to use your php script to even see the filenames or retrieve them.

Then you would have your script that shows the files available in your web tree that goes to the 'safe' folder and grabs the names and displays them for you. The retrieval script would do the ame thing - get the selected filename from the display created above and goes and grabs the actual file and does what you want to do with it.

In this fashion the files/folder are not accessible thru html protocol and the name of the folder is never shown to the user nor is it available to the user without ftp access or some other (?) kind of malicious hack attempt. Obviously neither of the script(s) above would execute for the user if they are not already logged on, which you have to check at the top of each.
Copy linkTweet thisAlerts:
@TheTrooperauthorJan 20.2016 — mm, yeah I think I would prefer to have users have access to the folder/file in the tree if logged in, if not then returned to login screen? I found various infor on .htaccess and use of a authorize.php but I'm not having much luck.
Copy linkTweet thisAlerts:
@ginerjmJan 20.2016 — I gave you the easiest safe way to do what you first posed. Do what you wish.
Copy linkTweet thisAlerts:
@NogDogJan 20.2016 — It's possible to interact with HTTP Authentication in PHP: http://php.net/manual/en/features.http-auth.php

However, personally, I'd do something along the line ginerjm discussed, putting the document directory tree outside of the web document root tree (or else denying direct access to it via .htaccess), then create a login-controlled PHP script that could display the directories viewable by the logged in user (glob() is useful and simple for this), and include a file server script to download/view any file requested from that page.
Copy linkTweet thisAlerts:
@ginerjmJan 20.2016 — Thanks for the vote of confidence NogDog!

The Trooper: One thing to add to NogDog's post is that the use of .htaccess for control is completely unnecessary if the doc folder(s) are placed outside of the web tree. So - why complicate life by not doing that?
Copy linkTweet thisAlerts:
@TheTrooperauthorJan 20.2016 — ok thanks for the help. I think I'll go with placing the files outside of the web tree. I currently have the files within the webtree and using the following script:

[code=php]
<?php
$files = scandir('docs/');
sort($files); // this does the sorting
foreach($files as $file){
echo'<li><a href="/docs/'.$file.'">'.$file.'</a></li>';
}
?>
[/code]

I have two issues with this, the first is what the url would be if I move the folder outside of th web tree. The second is i suddenly have two extra links going to root directory ?
Copy linkTweet thisAlerts:
@ginerjmJan 20.2016 — You need to do more than just iterate thru the returned names. Check for the types of extensions you want and of course, skip the . and .. ones.

As for url - since it is outside the web tree, you can't do an anchor tag to point to it. Use your own method to link to the file from your script and display it instead of the anchor which won't work anyway since it is outside the tree. Use a drop down to select the name and a submit button to trigger your script.
Copy linkTweet thisAlerts:
@JFinlayJan 20.2016 — Hello, Can you help me? How do I start a new post! ?
Copy linkTweet thisAlerts:
@NogDogJan 20.2016 — Just sketching something out here, the key is that your file links point to a download script, putting something in the query string to tell it what file (e.g. example.com/get_file.php?file=fubar). That file could be something along these lines (hopefully fleshed out a bit and removing any bugs I typed):
[code=php]
<?php

$docDir = '/path/to/the/documents/';

require_once "path/to/file/with/login/sutff.php";

if(!valid_user()) // place-holder function name
{
// send to login page or something here?
exit;
}

if(!empty($_GET['file'])) {
$fileName = basename($_GET['file']);
if(file_exists($docDir.$fileName)) {
header('Content-Disposition: attachment; filename="downloaded.pdf"');
// there are other headers you could set, do some googling :)
readfile(docDir.$fileName);
}
else {
echo "File '$fileName' does not exist."; // or something nice in HTML
}
}
else {
// whatever you want to do if they got here without a "?file=something" in the URL
}
[/code]
Copy linkTweet thisAlerts:
@latrellvieJan 21.2016 — Thx ginerjm u helped and solved my problem

http://www.webdeveloper.com/forum/showthread.php?352629-sql-quot-SELECT-Id-FirstName-LastName-FROM-mydb-quot

, i had to delete and open it elsewhere cause i couldnt edit and had some pw in the old post that i`d rather not let everybody see. ? Can I vote for you on this platform ?
×

Success!

Help @TheTrooper spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 5.18,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @AriseFacilitySolutions09,
tipped: article
amount: 1000 SATS,

tipper: @Yussuf4331,
tipped: article
amount: 1000 SATS,

tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,
)...