preventing external access to directory

J C-W <j@no.spam.here.com> wrote:

I have a directory with files (of various formats) contained within a
website which uses PHP to control user access via session variables. I would
like to protect the directory from direct external linking (e.g. prevent
people typing "http://www.mysite.com/protected-directory/file.doc" into the
address bar for example), so that users must log on to the website first to
gain access to them. Currently, I've used a .htaccess file, but this

[...]

So you are using apache:
- move file out of the documentroot (or into a directory protected by
.htaccess)
- add a 404 handler to the protected-directory which points to a php
script which uses your normal authentication methods
- have this script serve the "protected" files, you'll need to set the
correct mime-type and http-status (eg 200) if the actual file can be
found

--

Daniel Tryba

J C-W wrote:
[snip]

but since Microsoft have
prevented the use of username/password combinations within the URL in IE,
this method is no longer viable.

<quote src="http://support.microsoft.com/kb/834489">

How to disable the new default behavior for handling user information in
HTTP or HTTPS URLs

To disable the new default behavior in Windows Explorer and Internet
Explorer, create iexplore.exe and explorer.exe DWORD values in one of
the following registry keys and set their value data to 0.

.. For all users of the program, set the value in the following
registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME _PASSWORD_DISABLE

.. For the current user of the program only, set the value in the
following registry key:
HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME _PASSWORD_DISABLE

</quote>

I haven't tested this.

Can anyone suggest an alternative solution
or a way around the http authentication problem?

Maybe cookies? as recommended by the site above?
--
USENET would be a better place if everybody read: | to mail me: simply |
http://www.catb.org/~esr/faqs/smart-questions.html | "reply" to this post, |
http://www.netmeister.org/news/learn2quote2.html | *NO* MIME, plain text |
http://www.expita.com/nomime.html | and *NO* attachments. |

Thanks for the suggestion - this is kind of what I've done in the end - all
hyperlinks to protected files are served by a script which checks for site
authentication before delivering the file - found the following useful
script on another forum:

//authentication checking script first, then...
$dir = $_SERVER['C_DOCUMENT_ROOT'].'/protected/';
$file = $dir.basename($_REQUEST['dl']);
if (isset($_REQUEST['dl']) && file_exists($file)) {
header('Content-type: application/force-download');
header('Content-Transfer-Encoding: Binary');
header('Content-length: '.filesize($file));
header('Content-disposition: attachment; filename='.basename($file));
readfile($file);
} else {
echo 'Either there was no file with that name for download, there was an
error, or your login session expired.';
}

Thus, if anyone tries to access the protected directory directly, a prompt
for a password is given, which should prevent all but the most tenacious
hacker (there's nothing worth that much effort in the directory anyway), and
if any registered user tries to copy the links to the files (in the form
http://www.mydomain.com/dl.php?dl=filename) and pass them onto a
non-registered user, entering the url into the browser will forward them to
the log in page.

I will add the 404 handler as per your suggestion too, just as an extra
safeguard.

J
--
-----Personal Disclaimer--------
Thanks to the explosion of abuse of email on the 'net,
I have taken to adding this disclaimer to all email. It's
not a legal statement, just a form of insurance. If you
get a message that appears to be from me, but it doesn't
have this disclaimer at the bottom, please treat it as
spam, as it has not originated from me.
-----End Disclaimer------
"Daniel Tryba" <ne****************@canopus.nl> wrote in message
news:cl**********@news.tue.nl...

So you are using apache:
- move file out of the documentroot (or into a directory protected by
.htaccess)
- add a 404 handler to the protected-directory which points to a php
script which uses your normal authentication methods
- have this script serve the "protected" files, you'll need to set the
correct mime-type and http-status (eg 200) if the actual file can be
found

--

Daniel Tryba

.oO(J C-W)

but since Microsoft have
prevented the use of username/password combinations within the URL in IE,
this method is no longer viable.

It was never allowed by any standard in HTTP URLs.

Micha

"Daniel Tryba" <ne****************@canopus.nl> wrote in message
news:cl**********@news.tue.nl...

So you are using apache:
- move file out of the documentroot (or into a directory protected by
.htaccess)
- add a 404 handler to the protected-directory which points to a php
script which uses your normal authentication methods
- have this script serve the "protected" files, you'll need to set the
correct mime-type and http-status (eg 200) if the actual file can be
found

Using PHP to serve file download isn't really the best solution, since you
lose the web server's cache handling and partial retrieval capability
(doable but tricky to implement yourself).

A cleaner way to protect files would be to use Apache rewrite. In give
someone access, you add an entry into a rewrite map with the PHP session ID
as the key. A rewriteCond statement would then extract the PHP session id
from HTTP_COOKIE, while a second rewriteCond would check whether the id is
in the rewrite map. If it's not, then the request is rewritten to an access
denied page.