3

In my Codeigniter app, I have an authentication method to check, if the user is logged in. It is based on session cookies (the standard CI way) and it works perfectly fine.

This method is called from the constructor of each and every controller.

If the user is not logged in, the authentication method redirects to login page.

In the app, there's an option to upload files as well and the uploading part works fine too. The files get stored into one particular directory in the server. However, if someone has the uri/url of the uploaded file(s), he or she is able to access that, even without logging in the application. Since it is just a url and doesn't come from any controller, anybody will be able to access that even if the person is not logged in.

Any thoughts on how to prevent this.

Thanks

user2396285
  • 453
  • 2
  • 6
  • 7
  • 1
    Only allow access to files using a PHP script: http://stackoverflow.com/questions/2679524/block-direct-access-to-a-file-over-http-but-allow-php-script-access – Dormouse Jun 30 '13 at 09:55
  • 1
    http://stackoverflow.com/questions/11708702/codeigniter-users-should-only-have-access-to-their-own-images i think you will need something like this -> to serve files just to registered users (i guess it is intention). – sinisake Jun 30 '13 at 10:04
  • Should have mentioned initially - I am using apache and nginx. All static contents like user uploaded files are getting served via nginx... – user2396285 Jun 30 '13 at 10:44
  • There's a helpful [topic](http://stackoverflow.com/questions/16189758/serve-large-file-with-php-and-nginx-x-accel-redirect) on SO. Also, I wrote an [application](https://github.com/qolami/PHP-File-Downloader) long times ago to download files via PHP, you might find some useful logic there. I think this issue would be solved by a little hacking and/or mixing. – Hashem Qolami Jun 30 '13 at 17:28

1 Answers1

1

Try creating a .htaccess file in that folder, with the following line:

Deny from all

If you need to download the file, create a controller and use the download helper (force_download function). This will disable all kinds of access (so you cannot use this files in the website, if they are images you cannot use them with ).

ivanargulo
  • 326
  • 1
  • 5
  • 1
    Perfect!! The download helper works very nicely. I am using nginx and I have used the following location /ci/static/userFiles { internal; root /var/www; } – user2396285 Jul 02 '13 at 16:42