I have a login script that creates a SESSION for authenticated users. But
authenticated users still need access to particular directories (which
contain files for download). My hosting provider lets me protect
directories with htaccess, but this means an already authenticated user must
enter credentials a second time in the pop up dialog that appears in the
browser window when attempting to download something from an
htaccess-protected directory. AFAIK, there is no way to pass credentials to
htaccess. How do I protect an authenticated user's files and/or
directories? Is there an alternative to htaccess?
Thanks in advance. 12 1951
*** deko escribió/wrote (Sat, 12 Mar 2005 19:59:23 GMT): I have a login script that creates a SESSION for authenticated users.
You already have 95% of work done. Now...
Can you use these credentials to protect directories? No, you cannot, as
far as I know. PHP will never handle the directory listings created by
Apache, JPEG files, PDF files, etc.
Can you use these credentials to protect PHP files? Sure. This simpliest
way:
<?
if( !isset($_SESSION['authenticated_user_id']) || $_SESSION['authenticated_user_id']!=666 ){
die('Unauthorized');
}
?>
How do I protect an authenticated user's files and/or directories?
The typical option is moving them outside the public web directory, where
they cannot be served by Apache. Then do not link the files, link a
download script written in PHP.
--
-+ Álvaro G. Vicario - Burgos, Spain
+- http://www.demogracia.com (la web de humor barnizada para la intemperie)
++ Manda tus dudas al grupo, no a mi buzón
-+ Send your questions to the group, not to my mailbox
--
> The typical option is moving them outside the public web directory, where they cannot be served by Apache. Then do not link the files, link a download script written in PHP.
So that's how it's done. Thanks for the tip.
Here's what I've tried:
The link in the secure (SSL-encrypted) page looks like this:
<a href='../../dlcounter.php?file=somefile.zip|username'>somefile .zip</a>
[dlcounter.php]
$dlfile = trim($_GET[file]);
$dlfile = explode("|", $dlfile);
switch ($dlfile[1])
{
case "thisuser":
$dlpath = '/home/myispacct/thisuser/'.$dlfile[0];
break;
case "thatuser":
$dlpath = '/home/myispacct/thatuser/'.$dlfile[0];
break;
case "otheruser":
$dlpath = '/home/myispacct/otheruser/'.$dlfile[0];
break;
default:
$dlpath = 'http://www.mysite.com/PublicDownload/'.$dlfile[0];
}
[code to record download user and time goes here]
echo $dlpath;
So far so good. But how do I start the download? I hope this is not too
silly a question...
*** deko escribió/wrote (Sun, 13 Mar 2005 21:17:25 GMT): <a href='../../dlcounter.php?file=somefile.zip|username'>somefile .zip</a>
Just be aware that it's awfully easy to rewrite the URL. Get the username
when you validate the user and keep it in a variable session.
$dlpath = 'http://www.mysite.com/PublicDownload/'.$dlfile[0];
[...] So far so good. But how do I start the download?
readfile() will do the trick. You can additionally generate the appropriate
content type header with header('Content-Type: ......').
I hope this is not too silly a question...
Of course not :)
--
-+ Álvaro G. Vicario - Burgos, Spain
+- http://www.demogracia.com (la web de humor barnizada para la intemperie)
++ Manda tus dudas al grupo, no a mi buzón
-+ Send your questions to the group, not to my mailbox
--
> > <a
href='../../dlcounter.php?file=somefile.zip|username'>somefile .zip</a> Just be aware that it's awfully easy to rewrite the URL. Get the username when you validate the user and keep it in a variable session.
So, would you suggest something like this:
<a href='../../dlcounter.php?file=$_SESSION['uid']>somefile.zip</a>
The problem with using the session variable is that the session is lost when
going from the SSL-encrypted private user page to the dlcounter.php script.
Is it possible to reference the script like this: https://www.mysite.com/dlcounter.php
But then the script would have to be in a publicly-accessible area. Is that
a problem?
readfile() will do the trick. You can additionally generate the
appropriate content type header with header('Content-Type: ......').
That's the ticket! Thanks! I got it working with this (stripped down
version of dlcounter.php):
<?php
header("Content-Type: application/octet-stream");
header("Content-Disposition: attachment; filename=test.txt" );
readfile("/home/myispacct/secure/test.txt");
?>
One more question:
Is is better to use:
header("Content-Type: application/force-download")
or
header("Content-Type: application/octet-stream");
?
> > <a
href='../../dlcounter.php?file=somefile.zip|username'>somefile .zip</a> Just be aware that it's awfully easy to rewrite the URL. Get the username when you validate the user and keep it in a variable session.
I also tried this:
<a href='https://hostname.myisp.com/myacct/dlcounter.php'>somefile.zip</a>
The SSL state appears to be preserved as it goes to dlcounter.php, but I
can't get the SESSION variable value. If I put this in dlcounter.php:
echo $_SESSION['uid'];
exit;
Nothing is echoed on the screen.
I set $SESSION['uid'] on the login page:
$_SESSION['uid'] = $user;
$url="https://hostname.myisp.com/myacct/someuser/privatepage.php";
header('Location: '.$url); //redirect to privatepage.php
echo $_SESSION['uid'] will return the correct value on privatepage.php - but
not on dlcounter.php. Is there some reason why the variable is lost when
clicking on the link in privatepage.php? Do I need to set another Session
variable for the purpose of secure downloading?
> echo $_SESSION['uid'] will return the correct value on privatepage.php -
but not on dlcounter.php. Is there some reason why the variable is lost when clicking on the link in privatepage.php? Do I need to set another Session variable for the purpose of secure downloading?
oops...
session_start();
echo "SESSION[uid] = ".$_SESSION['uid'];
exit;
now it works :)
making progress, but...
---link in privatepage.php---
<a
href='https://hostname.myisp.com/myacct/dlcounter.php?file=test.zip'>test.zi
p</a>
---code in dlcounter---
<?php
session_start();
$dlfile = trim($_GET[file]);
switch ($_SESSION['uid'])
{
case "someuser":
$dlpath = 'home/myacct/someuser/'.$dlfile;
break;
default:
$dlpath = 'http://www.mysite.com/PublicDownload/'.$dlfile;
}
header("Content-Type: application/octet-stream");
header("Content-Disposition: attachment; filename=".$dlfile);
readfile($dlpath);
The download dialog appears, but the download fails becuase path to the file
is getting screwed up. In the File Download dialog, the File Name appears
not at "test.txt", but as a url to dlcounter.php. Perhaps this is because
it's looking for a SSL-encrypted path? How to get it to go to the correct
path? Is this possible when connecting to an SSL-encrypted dlcounter.php?
Thanks again for the help.
*** deko escribió/wrote (Sun, 13 Mar 2005 23:30:47 GMT): Just be aware that it's awfully easy to rewrite the URL. Get the username when you validate the user and keep it in a variable session. So, would you suggest something like this:
<a href='../../dlcounter.php?file=$_SESSION['uid']>somefile.zip</a>
I would suggest NOT doing so. What prevents me from typing any username in
my browser's location bar?
The problem with using the session variable is that the session is lost when going from the SSL-encrypted private user page to the dlcounter.php script.
Then transmit the session ID in the URL when moving to SSL zone. Check
this: http://es.php.net/manual/en/function.session-id.php
Or you can also use SSL since login.
--
-+ Álvaro G. Vicario - Burgos, Spain
+- http://www.demogracia.com (la web de humor barnizada para la intemperie)
++ Manda tus dudas al grupo, no a mi buzón
-+ Send your questions to the group, not to my mailbox
--
*** deko escribió/wrote (Mon, 14 Mar 2005 00:57:21 GMT): $dlpath = 'home/myacct/someuser/'.$dlfile; break; default: $dlpath = 'http://www.mysite.com/PublicDownload/'.$dlfile; } header("Content-Type: application/octet-stream"); header("Content-Disposition: attachment; filename=".$dlfile); readfile($dlpath);
The download dialog appears, but the download fails becuase path to the file is getting screwed up. In the File Download dialog, the File Name appears not at "test.txt", but as a url to dlcounter.php. Perhaps this is because it's looking for a SSL-encrypted path? How to get it to go to the correct path? Is this possible when connecting to an SSL-encrypted dlcounter.php?
I'll try to explain myself better. The problem is that you can't password
protect directories. So we've moved files outside the web server root and
we are using a script to download them. If your script loads files from
within the web server root, we're doing nothing! Your users can override
the script and point their browsers to the actual URL. You want your script
to read from the *file system*, from a directory that's hidden to browsers.
--
-+ Álvaro G. Vicario - Burgos, Spain
+- http://www.demogracia.com (la web de humor barnizada para la intemperie)
++ Manda tus dudas al grupo, no a mi buzón
-+ Send your questions to the group, not to my mailbox
--
> > <a href='../../dlcounter.php?file=$_SESSION['uid']>somefile.zip</a> I would suggest NOT doing so. What prevents me from typing any username in my browser's location bar?
10-4. The problem with using the session variable is that the session is lost
when going from the SSL-encrypted private user page to the dlcounter.php
script. Then transmit the session ID in the URL when moving to SSL zone. Check this:
http://es.php.net/manual/en/function.session-id.php
Or you can also use SSL since login.
That would be the best solution, I think.
> > $dlpath = 'home/myacct/someuser/'.$dlfile; break; default: $dlpath = 'http://www.mysite.com/PublicDownload/'.$dlfile; } header("Content-Type: application/octet-stream"); header("Content-Disposition: attachment; filename=".$dlfile); readfile($dlpath);
The download dialog appears, but the download fails becuase path to the
file is getting screwed up. In the File Download dialog, the File Name
appears not at "test.txt", but as a url to dlcounter.php. Perhaps this is
because it's looking for a SSL-encrypted path? How to get it to go to the
correct path? Is this possible when connecting to an SSL-encrypted
dlcounter.php? I'll try to explain myself better. The problem is that you can't password protect directories. So we've moved files outside the web server root and we are using a script to download them. If your script loads files from within the web server root, we're doing nothing! Your users can override the script and point their browsers to the actual URL. You want your
script to read from the *file system*, from a directory that's hidden to
browsers.
I understand. In the code snippet above, I switch on user ID - if the user
ID is not set, then the default is to download from the publicDownload
directory. if the user ID *is* set, then /home/myacct/someuser/ is a
directory outside of public_html.
What I'm tying to do (which may be a mistake) is to use the same download
script to log public downloads as well as private downloads. To so this, I
need to pass variables into the script. I was thinking I would pass in the
file name and the user name. But apparently, anyone can send variables into
the script, and potentially guess what the username and/or file is. So I'm
thinking the download script for private files needs to be embedded in the
private, SSL-encrypted page where the links to the private files are. I
will keep working on this...
Thanks again for the help. Your comments have helped a lot.
*** deko escribió/wrote (Mon, 14 Mar 2005 20:17:33 GMT): I understand. In the code snippet above, I switch on user ID - if the user ID is not set, then the default is to download from the publicDownload directory. if the user ID *is* set, then /home/myacct/someuser/ is a directory outside of public_html.
Yep, you're right, I read the code too quickly. You miss a leading / but
the rest seems okay.
What I'm tying to do (which may be a mistake) is to use the same download script to log public downloads as well as private downloads.
The approach looks good to me.
--
-+ Álvaro G. Vicario - Burgos, Spain
+- http://www.demogracia.com (la web de humor barnizada para la intemperie)
++ No envíes tu dudas a mi correo, publícalas en el grupo
-+ Do not send me your questions, post them to the group
-- This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Michael J. Astrauskas |
last post by:
I'm really confused on how to store arrays in a $_SESSION.
Right now to access an array I basically do this:
$lc = $_SESSION;
$lc = 1;
(plus some other manipulative code)
$_SESSION = $lc;
|
by: Undercat |
last post by:
Hi,
I'm coding Php under register_global = off flag, but, most (all ?) of php
hosting companies use the "on" flag with their shared servers...
I spent too much time to finally discover that my...
|
by: Pedro Fonseca |
last post by:
Greetings everyone!
I'm porting everything to PHP5. I have session variables in all of my
web application. Until PHP5 I was using session variables like:
if ($_SESSION == 'Bar') {
$value = 5;...
|
by: Sundial Services |
last post by:
I have an object in the session-data which contains a search-result list.
It might, at various times, contain 16,000 entries or more.
I seem to be noticing, however, that when the size of the...
|
by: Jim Schlight |
last post by:
Is there a limit to the number of include directories that can be
specified? I'm upgrading from Visual Studio .NET 2002 to 2003 and
getting:
fatal error C1083: Cannot open include file:...
| |
by: comp.lang.php |
last post by:
This is an urgent request (as always)
generate_admin_customer_position_dropdown($customerResult,
$customerResult->id);
print_r($_SESSION);
This code will generate an HTML dropdown as...
|
by: comp.lang.php |
last post by:
Is it possible to access values preset from $_SESSION from within a CLI
PHP page? If so, how is it done? Each time I try to access $_SESSION
is an empty array; the moment I leave the CLI PHP and...
|
by: nathj |
last post by:
Hi,
I am trying to get $_SESSION to work on my site. In order to learn this an dunderstand it better I have built two very simple test pages to see if i can access $_SESSION on both pages.
...
|
by: Jeff Nyman |
last post by:
Greetings all.
I did some searching on this but I can't seem to find a specific
solution. I have code like this:
=========================================
def walker1(arg, dirname, names):...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
| |
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The...
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence...
| |