1

My website users login using accounts they setup in my website.

I of course store their login info in a db table and this table is accessed when they fill out the login form. This is just a proprietary system I created.

When users are logged in, they can see a list of documents that are stored in a folder on my website. If they are not logged in, they don't have access to this list. However, if someone knows the direct URL of one of the documents, they can download it without logging in. I want to restrict access to this folder to only logged-in users.

I guess I could put a password on the folder itself, but I don't want users to have to enter a password twice. How can I detect if the user is logged in and restrict access to only a logged in user?

Forgive me if this question sounds basic, but I come from the world of IIS and I'm not sure how to do this using a PHP web server.

This is basically the same question , although I'm not using asp.net or IIS.

Hamza Zafeer
  • 2,360
  • 13
  • 30
  • 42
Industrial Themes
  • 557
  • 2
  • 9
  • 26

3 Answers3

1

You can use ".htaccess" file to achieve this goal...

Check this: http://www.linuxhelp.net/guides/htaccessmysql/

Ovais Khatri
  • 3,201
  • 16
  • 14
  • 1
    But how would I link up the .htaccess file with the user that's currently logged in? Can I check a session variable in the htaccess file? – Industrial Themes Jun 23 '11 at 14:46
  • Make your application use of http authentication as well. You can quite easily create a single-sign on on both webserver and your application. – hakre Jun 23 '11 at 14:50
1

I'd setup a page that they could login to that would list out the files and allow the user to click on. It could easily be tied into your existing system that way with very little effort. You could then protect the directory from direct listing on screen and be as secure as your existing auth system allows.

Here's an example of how to get the files in a particular directory You could then foreach the array and link them up accordingly. If you were really concerned about file "theft" you could setup a download page that the user would have to route through to get the downloads themselves, thereby totally obscuring the directory.

bpeterson76
  • 12,918
  • 5
  • 49
  • 82
  • Right now the system is very complex and lists out certain files and documents based on a complex relational system of user roles and such. I don't want to modify the code, I just want to know if there is a way to restrict a folder to only users who are logged in to a website (i.e. the logged in session variable is true) – Industrial Themes Jun 23 '11 at 14:49
  • which webserver are you using? – hakre Jun 23 '11 at 16:37
  • I believe it's an Apache server – Industrial Themes Jun 23 '11 at 17:58
  • For the download page method, how exactly would that work? How would it be more secure - you're saying the directory would be totally obscure and secure that way? Do you have a link explaining this method, or an example, or a quick explanation? I really appreciate your help. – Industrial Themes Jun 27 '11 at 20:11
  • @brian, here's a rough idea: http://www.codewalkers.com/c/a/Miscellaneous/Using-PHP-to-Stream-MP3-Files-and-Prevent-Illegal-Downloading/2/ Basically, you let them "see" a php page, not a directory. You list out the files via php and then allow them to click on a download.php page with a parameter that tells the file to serve up the desired file. You can secure the php page with your chosen auth system, so that secures viewing. The download.php page is also secured in that manner, and the links to actual files are obscured within. Combine with directory view denial and you're set. – bpeterson76 Jun 27 '11 at 20:25
1

try not give the user the direct url of your documents,you can make a php file,first check user and then read the document and output it.

hanguofeng
  • 49
  • 2
  • Thanks but that is not my question. – Industrial Themes Jun 23 '11 at 14:47
  • 2
    @brianmcculloh That´s actually the solution I would use as well, move the files out of the web-directory so that they are never directly accessible, make a virtual directory in php where every link serves a php file. And that last php file reads and outputs the document. You can restrict access everywhere you want (virtual directory and / or file). – jeroen Jun 23 '11 at 15:08
  • OK, I think I may want to go this route. Do you have maybe an example link to a tutorial that explains this or any further info? For instance, how do I use a php file to read and output a document? How do I create a virtual directory in php? Thanks! – Industrial Themes Jun 27 '11 at 20:13