0

I have a subdirectory of users that I want to limit each subfolder to that user only.

For example I have /users/user1 where I want to protect the user1 folder so that only user1 can access the files inside.

I tried playing around with an .htaccess and .htpasswd file, but I get prompted to log in a second time even though I have authenticated against a MySQL database.

I'm not sure what to do to basically have the second log in request automatically handled since the user would be authenticated previously.

I can post some code that I have for my .ht files, but I thought that this info could get the ball rolling.

p.campbell
  • 98,673
  • 67
  • 256
  • 322
innov83r
  • 55
  • 3
  • 10
  • authenticated how? via HTTP basic auth? form-based cookie-using login? Those are two different login systems that are pretty much (usually) independent of each other. – Marc B Nov 23 '11 at 17:30
  • i have little knowledge, but I think (apache) htpasswd is not the same as mysql authentication, are you using mod_auth_mysql? – ajreal Nov 23 '11 at 17:31
  • Possible dupe: http://stackoverflow.com/questions/2328068/authentication-denying-access-to-files-in-directory-with-php – djdy Nov 23 '11 at 17:32
  • I'm using a form to verify against a database. I'm not using mod_auth_mysql at least I don't think I am. I'm getting username and password then connecting to a mysql db and seeing if the user is there and has the correct password if so I direct them to their account homepage. I read that post, but I guess I'm confused of how to open the file if the file is an .mp3 file and serve it to the user via php... – innov83r Nov 23 '11 at 17:42

1 Answers1

1

I think that using a php proxy to access the files would be sufficient in this case, something along the lines of:

Download.php

<?php
   /** Load your user assumed $user **/

   $file = trim($_GET['file']);

   /** Sanitize file name here **/

   if (true === file_exists('/users/user'.$user->id.'/'.$file)) {
       //from http://php.net/manual/en/function.readfile.php
       header('Content-Description: File Transfer');
       header('Content-Type: application/octet-stream');
       header('Content-Disposition: attachment; filename="'.$file.'"');
       header('Content-Transfer-Encoding: binary');
       header('Expires: 0');
       header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
       header('Pragma: public');
       header('Content-Length: ' . filesize($file));
       ob_clean();
       flush();
       readfile($file);
       exit;
   } else {
       throw new Exception('File Not Found');
   }

.htaccess To deny all direct file downloads

deny from all

You would then link to the folders by using /download.php?file=filename.ext and it would only download that file from the users directory of the current user.

You'll want to ensure you sanitize the input file name so you're not vulnerable to directory transversal exploits.

Jason Brumwell
  • 3,482
  • 24
  • 16
  • Thanks, I'll give this a go! would this work if all i wanted to do was to load the file to the html5 audio tag so i could play it? – innov83r Nov 23 '11 at 18:33
  • Yeah if your using it for the audio tag you would just do something along the lines of: I've never had to do it with a mp3 file through the audio tag so if it doesn't work I would remove the attachment disposition which should allow it to work but I haven't tested it let me know how it goes – Jason Brumwell Nov 23 '11 at 19:48
  • Hey Jason, it doesn't seem to be working for me... still trying to get it to work... – innov83r Nov 26 '11 at 16:18
  • If you can provide some details about whats not working I can try and help – Jason Brumwell Nov 27 '11 at 18:38
  • I'll post some details in the coming days... got a bit busy with other things. Thanks for your help – innov83r Nov 28 '11 at 16:11