SitePoint Sponsor

User Tag List

Results 1 to 3 of 3

Hybrid View

  1. #1
    SitePoint Enthusiast
    Join Date
    Jun 2011
    Posts
    26
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Serve indivdual files, but hide folder from public view

    Hey all,

    I have a possibly silly web security issue I cant figure out.

    Im serving sensitive files to individuals in a program database. I want the users to be able to click links to view these files in their own secure member areas. However, since these are all in the same documents folder anybody can just view the folder root and see everybodys files.

    Theres too many users to create folders and htaccess's for all, unless im dumb and there is a way.

    Am i missing the obvious solution or does anybody have a good way to do this. Just want users to be able to view personal documents but keep the folder itself hidden.

    Any help is awesome, Thanks!

  2. #2
    SitePoint Wizard
    Join Date
    Oct 2005
    Posts
    1,849
    Mentioned
    5 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by chasejbarnes View Post
    Hey all,
    Im serving sensitive files to individuals in a program database. I want the users to be able to click links to view these files in their own secure member areas. However, since these are all in the same documents folder anybody can just view the folder root and see everybodys files.

    Theres too many users to create folders and htaccess's for all, unless im dumb and there is a way.

    Am i missing the obvious solution or does anybody have a good way to do this. Just want users to be able to view personal documents but keep the folder itself hidden.
    Place the files in a folder above your public root folder and control access through PHP or whatever script you are using or deny access to a file directory below your public folder and use PHP to read the file from there (less secure). Or, you can store the files as binary data in a database and control access that way.

    I do not have much knowledge in that area and, in fact, I am hopeful others will chime in about file access control so I can learn a thing or two. Such as: if you control file access through PHP with the files stored above public_html, which PHP function(s) do you use to transmit the file to the browser, which headers should you use, and once the file transmission has begun, does the PHP script end with no max_execution_time issues with the server taking over? I am basically looking for how one would protect files for a membership site.

    So if anyone has any information to share or links to info, I would be glad to see it because this is one gap I would like to fill.

  3. #3
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,250
    Mentioned
    196 Post(s)
    Tagged
    2 Thread(s)
    If you're talking about someone going to
    website/folder/
    and getting Apache's default list of it's file contents, you can put this in that folder's (or higher up if you prefer this for all folders) htaccess file.
    Code:
    Options -Indexes
    However - depending on how sensitive this info is, shouldn't you be using HTTPS?

    If not, it sounds like cheesedude's answer is the way to go.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •