Password protection and prevent download

Juerg Beck

Hello all
I'm completely new to php but a complete newbie when it comes to unix.
So please don't laugh about my problem.

I have programmed a nice password check with php, javascript and a
database and it works. But as I have removed the access control with
..htaccess on the server I recognized that everybody can now directly
download all documents without a password, as long as they know the
filename and location.

I assume that for any unix hacker it should not be a problem to find
all filenames somehow.
Is this true ? Have I opened a security hole on the server?
If yes, how can I prevent it. And how can I protect some directories
with sensitive data and only show it when somebody has properly
entered his personal passsword.
I mean is it possible to still use the .htaccess on some directories
and grant access to this directory for those users that correctly
identified itself, without having to enter another password ?

thanks
greets
Juerg
** Posted from http://www.teranews.com **

Sep 5 '08 #1

Subscribe Reply

2198

Sjoerd

Juerg Beck wrote:

I have programmed a nice password check with php, javascript and a
database and it works. But as I have removed the access control with
.htaccess on the server I recognized that everybody can now directly
download all documents without a password, as long as they know the
filename and location.

Suppose your files are in http://www.example.org/files/. If your server
is configured to show a directory index, it will show a list of files
when someone requests http://www.example.org/files/. This is not what you
want, so you could turn of directory index for that directory. That will
make it very hard for any visitor to get a list of files.

Another way to get a list of files is when someone has access to your
server. For example, if you host your site on a shared host, other people
using the same host may be able to get a list of files.

Finally, someone may just guess the filename or pass the URL on to
friends and family.

What you really want is that people can only the files through your
script, and can not pass the URL around.

To do this, you put your files outside of your document so that they are
no longer accessible through http://www.example.org/files/ or any other
URL. To access the file, you make a PHP script which first checks the
password and then serves the file. This makes downloading the file
without the password impossible.

It goes something like this:
<?php
$pass = $_POST['password'];
if ($pass == 'supersecret') {
$file = 'protectedfile.mp3';
// Set some headers to indicate that the user is downloading
// a file
header('Content-type: binary/octet-stream');
header('Content-disposition: attachment; filename='.$file);
header('Content-length: '.filesize($file));

// Pass the file to the visitor.
readfile($file);
} else {
echo 'Wrong password.';
}
?>

Sep 5 '08 #2

Similar topics

password-protection

by: Wm | last post by:

Something just occurred to me... <yeah, I know, it scared me too> I just password-protected a website by including a password authentication script in each page of a private section. The script...