Secure File

On Fri, 19 Dec 2003 13:38:37 -0500, Wes wrote:

I have sessions working where individual users have their own person
information and can't view others personal info... The problem is, the
sessions block them in php but I can't block them from files that I can't
have the session security.

I tried imbedding the file into a secured php file but it did not work, my
code is below that I used. For reference, 00231 is the username to login
so it checks if the username is the same etc.

<?
// Agent Access - secure page

// session check
session_start();
if ($SESSION_UNAME != "00231" )
{
// if session check fails, invoke error handler header("Location:
error.php?e=2");
exit();
}
require("http://www.cmiteam.com/privagents/contests/test.pdf");
?>

Store the PDF (and whatnot) in a directory outside of your Web accessible
directories and write a small download function to download the files. As
they're read in via the PHP script for downloading, they don't physically
need to be accessible by the Web, meaning people can't bypass your script
and access them directly. This enables you to limit access depending on
your session data.

Have the URIs such as:
<http://domain.com/privagents/contents/download.php/1
Then the likes of:
<?php
$path_info = explode('/', $_SERVER['PATH_INFO']);
$file_id = intval($path_info[1]);

download_file($file_id);
?>
Write the download_file(int ID) function to read the filename and details
from a database or equivalent and send a binary header so that the file
downloads (I'll leave this as an educational experience).
HTH =)

Regards,

Ian

--
Ian.H [Design & Development]
digiServ Network - Web solutions
www.digiserv.net | irc.digiserv.net | forum.digiserv.net
Programming, Web design, development & hosting.

Thank you Ian.H for your reply.

I will try your suggestion out.

Wes

"Ian.H" <ia*@WINDOZEdigiserv.net> wrote in message
news:pa****************************@hybris.digiser v.net...

On Fri, 19 Dec 2003 13:38:37 -0500, Wes wrote:

I have sessions working where individual users have their own person
information and can't view others personal info... The problem is, the
sessions block them in php but I can't block them from files that I can't have the session security.

I tried imbedding the file into a secured php file but it did not work, my code is below that I used. For reference, 00231 is the username to login so it checks if the username is the same etc.

<?
// Agent Access - secure page

// session check
session_start();
if ($SESSION_UNAME != "00231" )
{
// if session check fails, invoke error handler header("Location:
error.php?e=2");
exit();
}
require("http://www.cmiteam.com/privagents/contests/test.pdf");
?>

Store the PDF (and whatnot) in a directory outside of your Web accessible
directories and write a small download function to download the files. As
they're read in via the PHP script for downloading, they don't physically
need to be accessible by the Web, meaning people can't bypass your script
and access them directly. This enables you to limit access depending on
your session data.

Have the URIs such as:
<http://domain.com/privagents/contents/download.php/1
Then the likes of:
<?php
$path_info = explode('/', $_SERVER['PATH_INFO']);
$file_id = intval($path_info[1]);

download_file($file_id);
?>
Write the download_file(int ID) function to read the filename and details
from a database or equivalent and send a binary header so that the file
downloads (I'll leave this as an educational experience).
HTH =)

Regards,

Ian

--
Ian.H [Design & Development]
digiServ Network - Web solutions
www.digiserv.net | irc.digiserv.net | forum.digiserv.net
Programming, Web design, development & hosting.