I have a login script that creates a SESSION for authenticated users. But
authenticated users still need access to particular directories (which
contain files for download). My hosting provider lets me protect
directories with htaccess, but this means an already authenticated user must
enter credentials a second time in the pop up dialog that appears in the
browser window when attempting to download something from an
htaccess-protected directory. AFAIK, there is no way to pass credentials to
htaccess. How do I protect an authenticated user's files and/or
directories? Is there an alternative to htaccess?
Thanks in advance. 12 1975
*** deko escribió/wrote (Sat, 12 Mar 2005 19:59:23 GMT): I have a login script that creates a SESSION for authenticated users.
You already have 95% of work done. Now...
Can you use these credentials to protect directories? No, you cannot, as
far as I know. PHP will never handle the directory listings created by
Apache, JPEG files, PDF files, etc.
Can you use these credentials to protect PHP files? Sure. This simpliest
way:
<?
if( !isset($_SESSIO N['authenticated_ user_id']) || $_SESSION['authenticated_ user_id']!=666 ){
die('Unauthoriz ed');
}
?>
How do I protect an authenticated user's files and/or directories?
The typical option is moving them outside the public web directory, where
they cannot be served by Apache. Then do not link the files, link a
download script written in PHP.
--
-+ Álvaro G. Vicario - Burgos, Spain
+- http://www.demogracia.com (la web de humor barnizada para la intemperie)
++ Manda tus dudas al grupo, no a mi buzón
-+ Send your questions to the group, not to my mailbox
--
> The typical option is moving them outside the public web directory, where they cannot be served by Apache. Then do not link the files, link a download script written in PHP.
So that's how it's done. Thanks for the tip.
Here's what I've tried:
The link in the secure (SSL-encrypted) page looks like this:
<a href='../../dlcounter.php?f ile=somefile.zi p|username'>som efile.zip</a>
[dlcounter.php]
$dlfile = trim($_GET[file]);
$dlfile = explode("|", $dlfile);
switch ($dlfile[1])
{
case "thisuser":
$dlpath = '/home/myispacct/thisuser/'.$dlfile[0];
break;
case "thatuser":
$dlpath = '/home/myispacct/thatuser/'.$dlfile[0];
break;
case "otheruser" :
$dlpath = '/home/myispacct/otheruser/'.$dlfile[0];
break;
default:
$dlpath = 'http://www.mysite.com/PublicDownload/'.$dlfile[0];
}
[code to record download user and time goes here]
echo $dlpath;
So far so good. But how do I start the download? I hope this is not too
silly a question...
*** deko escribió/wrote (Sun, 13 Mar 2005 21:17:25 GMT): <a href='../../dlcounter.php?f ile=somefile.zi p|username'>som efile.zip</a>
Just be aware that it's awfully easy to rewrite the URL. Get the username
when you validate the user and keep it in a variable session.
$dlpath = 'http://www.mysite.com/PublicDownload/'.$dlfile[0];
[...] So far so good. But how do I start the download?
readfile() will do the trick. You can additionally generate the appropriate
content type header with header('Content-Type: ......').
I hope this is not too silly a question...
Of course not :)
--
-+ Álvaro G. Vicario - Burgos, Spain
+- http://www.demogracia.com (la web de humor barnizada para la intemperie)
++ Manda tus dudas al grupo, no a mi buzón
-+ Send your questions to the group, not to my mailbox
--
> > <a
href='../../dlcounter.php?f ile=somefile.zi p|username'>som efile.zip</a> Just be aware that it's awfully easy to rewrite the URL. Get the username when you validate the user and keep it in a variable session.
So, would you suggest something like this:
<a href='../../dlcounter.php?f ile=$_SESSION['uid']>somefile.zip </a>
The problem with using the session variable is that the session is lost when
going from the SSL-encrypted private user page to the dlcounter.php script.
Is it possible to reference the script like this: https://www.mysite.com/dlcounter.php
But then the script would have to be in a publicly-accessible area. Is that
a problem?
readfile() will do the trick. You can additionally generate the
appropriate content type header with header('Content-Type: ......').
That's the ticket! Thanks! I got it working with this (stripped down
version of dlcounter.php):
<?php
header("Content-Type: application/octet-stream");
header("Content-Disposition: attachment; filename=test.t xt" );
readfile("/home/myispacct/secure/test.txt");
?>
One more question:
Is is better to use:
header("Content-Type: application/force-download")
or
header("Content-Type: application/octet-stream");
?
> > <a
href='../../dlcounter.php?f ile=somefile.zi p|username'>som efile.zip</a> Just be aware that it's awfully easy to rewrite the URL. Get the username when you validate the user and keep it in a variable session.
I also tried this:
<a href='https://hostname.myisp. com/myacct/dlcounter.php'> somefile.zip</a>
The SSL state appears to be preserved as it goes to dlcounter.php, but I
can't get the SESSION variable value. If I put this in dlcounter.php:
echo $_SESSION['uid'];
exit;
Nothing is echoed on the screen.
I set $SESSION['uid'] on the login page:
$_SESSION['uid'] = $user;
$url="https://hostname.myisp. com/myacct/someuser/privatepage.php ";
header('Locatio n: '.$url); //redirect to privatepage.php
echo $_SESSION['uid'] will return the correct value on privatepage.php - but
not on dlcounter.php. Is there some reason why the variable is lost when
clicking on the link in privatepage.php ? Do I need to set another Session
variable for the purpose of secure downloading?
> echo $_SESSION['uid'] will return the correct value on privatepage.php -
but not on dlcounter.php. Is there some reason why the variable is lost when clicking on the link in privatepage.php ? Do I need to set another Session variable for the purpose of secure downloading?
oops...
session_start() ;
echo "SESSION[uid] = ".$_SESSION['uid'];
exit;
now it works :)
making progress, but...
---link in privatepage.php---
<a
href='https://hostname.myisp. com/myacct/dlcounter.php?f ile=test.zip'>t est.zi
p</a>
---code in dlcounter---
<?php
session_start() ;
$dlfile = trim($_GET[file]);
switch ($_SESSION['uid'])
{
case "someuser":
$dlpath = 'home/myacct/someuser/'.$dlfile;
break;
default:
$dlpath = 'http://www.mysite.com/PublicDownload/'.$dlfile;
}
header("Content-Type: application/octet-stream");
header("Content-Disposition: attachment; filename=".$dlf ile);
readfile($dlpat h);
The download dialog appears, but the download fails becuase path to the file
is getting screwed up. In the File Download dialog, the File Name appears
not at "test.txt", but as a url to dlcounter.php. Perhaps this is because
it's looking for a SSL-encrypted path? How to get it to go to the correct
path? Is this possible when connecting to an SSL-encrypted dlcounter.php?
Thanks again for the help.
*** deko escribió/wrote (Sun, 13 Mar 2005 23:30:47 GMT): Just be aware that it's awfully easy to rewrite the URL. Get the username when you validate the user and keep it in a variable session. So, would you suggest something like this:
<a href='../../dlcounter.php?f ile=$_SESSION['uid']>somefile.zip </a>
I would suggest NOT doing so. What prevents me from typing any username in
my browser's location bar?
The problem with using the session variable is that the session is lost when going from the SSL-encrypted private user page to the dlcounter.php script.
Then transmit the session ID in the URL when moving to SSL zone. Check
this: http://es.php.net/manual/en/function.session-id.php
Or you can also use SSL since login.
--
-+ Álvaro G. Vicario - Burgos, Spain
+- http://www.demogracia.com (la web de humor barnizada para la intemperie)
++ Manda tus dudas al grupo, no a mi buzón
-+ Send your questions to the group, not to my mailbox
--
*** deko escribió/wrote (Mon, 14 Mar 2005 00:57:21 GMT): $dlpath = 'home/myacct/someuser/'.$dlfile; break; default: $dlpath = 'http://www.mysite.com/PublicDownload/'.$dlfile; } header("Content-Type: application/octet-stream"); header("Content-Disposition: attachment; filename=".$dlf ile); readfile($dlpat h);
The download dialog appears, but the download fails becuase path to the file is getting screwed up. In the File Download dialog, the File Name appears not at "test.txt", but as a url to dlcounter.php. Perhaps this is because it's looking for a SSL-encrypted path? How to get it to go to the correct path? Is this possible when connecting to an SSL-encrypted dlcounter.php?
I'll try to explain myself better. The problem is that you can't password
protect directories. So we've moved files outside the web server root and
we are using a script to download them. If your script loads files from
within the web server root, we're doing nothing! Your users can override
the script and point their browsers to the actual URL. You want your script
to read from the *file system*, from a directory that's hidden to browsers.
--
-+ Álvaro G. Vicario - Burgos, Spain
+- http://www.demogracia.com (la web de humor barnizada para la intemperie)
++ Manda tus dudas al grupo, no a mi buzón
-+ Send your questions to the group, not to my mailbox
-- This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Michael J. Astrauskas |
last post by:
I'm really confused on how to store arrays in a $_SESSION.
Right now to access an array I basically do this:
$lc = $_SESSION;
$lc = 1;
(plus some other manipulative code)
$_SESSION = $lc;
|
by: Undercat |
last post by:
Hi,
I'm coding Php under register_global = off flag, but, most (all ?) of php
hosting companies use the "on" flag with their shared servers...
I spent too much time to finally discover that my sessions went mad because
the $_SESSION was updated by a simple $pseudo = $row
(from the DB)...
It's ok when, on my local conf, i use it with the register_global = off, but
once uploaded online, on a shared server with register_global = on, sessions...
|
by: Pedro Fonseca |
last post by:
Greetings everyone!
I'm porting everything to PHP5. I have session variables in all of my
web application. Until PHP5 I was using session variables like:
if ($_SESSION == 'Bar') {
$value = 5;
}
$_SESSION is of course set on some other script. But this now
|
by: Sundial Services |
last post by:
I have an object in the session-data which contains a search-result list.
It might, at various times, contain 16,000 entries or more.
I seem to be noticing, however, that when the size of the result-list is
more than around 1,000 records ... the object simply does not get saved
into the $_SESSION data at all.
The PHP memory-limit is 30 megs. I never see any curious output in the
Apache logs, and the application does not fail. The...
|
by: Jim Schlight |
last post by:
Is there a limit to the number of include directories that can be
specified? I'm upgrading from Visual Studio .NET 2002 to 2003 and
getting:
fatal error C1083: Cannot open include file: 'limits.h': No such file
or directory
I find if I remove directories from the VC++ Directories Include files
list, the code compiles. The problem doesn't seem related to the
actual directories themselves, but to the number of directories. The
| |
by: comp.lang.php |
last post by:
This is an urgent request (as always)
generate_admin_customer_position_dropdown($customerResult,
$customerResult->id);
print_r($_SESSION);
This code will generate an HTML dropdown as well as set a $_SESSION
|
by: comp.lang.php |
last post by:
Is it possible to access values preset from $_SESSION from within a CLI
PHP page? If so, how is it done? Each time I try to access $_SESSION
is an empty array; the moment I leave the CLI PHP and return to my
calling web-app PHP script, $_SESSION is back again, values and all,
completely untouched.
Can $_SESSION be called? If not, then I have a bigger problem inasmuch
as $_REQUEST variables set via form/query-string MUST be accessed from...
|
by: nathj |
last post by:
Hi,
I am trying to get $_SESSION to work on my site. In order to learn this an dunderstand it better I have built two very simple test pages to see if i can access $_SESSION on both pages.
Page 1
<?php /* Created on: 03/07/2007 */
session_start();?>
<html>
<body>
|
by: Jeff Nyman |
last post by:
Greetings all.
I did some searching on this but I can't seem to find a specific
solution. I have code like this:
=========================================
def walker1(arg, dirname, names):
DC_List.append((dirname,''))
os.path.walk('\\\\vcdcflx006\\Flex\\Sites', walker1, 0)
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
| |
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |