SitePoint Sponsor

User Tag List

Results 1 to 18 of 18
  1. #1
    I meant that to happen silver trophybronze trophy Raffles's Avatar
    Join Date
    Sep 2005
    Location
    Tanzania
    Posts
    4,662
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)

    Limiting access to files

    I need to be able to limit access to certain directories. I can do this by chmod or using mod_rewrite, but I also need access to be granted if a user has a password.

    These directories cannot be moved from one directory to another and must stay in the same place. The only thing that must change is whether they can be accessed publically or via logging in.

    So for instance, the contents of http://example.com/stuff/ must not be accessible publically, but if I have a password they can. However, I, the owner of the website, must be able to change this on a whim - i.e. remove the restriction, or add it.

    How do I go about doing this? I'd like to avoid server-stuff (htaccess things, chmod, etc) as much as possible.

  2. #2
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,097
    Mentioned
    448 Post(s)
    Tagged
    8 Thread(s)
    If you have something like CPanel, you can set usernames and passowrds on directories through a simple interface (in CPanel: Security > Password Protect Directories).

    Or you can do it manually as explained here, though it involves some of the stuff you didn't want to touch.

    I've used these two methods, but there may be better ways of doing this.
    Facebook | Google+ | Twitter | Web Design Tips | Free Contact Form

    Forum Usage: Tips on posting code samples, images and more

    Forrest Gump: "IE is like a box of chocolates: you never know what you're gonna get."

  3. #3
    Twitter: @AnthonySterling silver trophy AnthonySterling's Avatar
    Join Date
    Apr 2008
    Location
    North-East, UK.
    Posts
    6,111
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Can you elaborate as to what type of files you want to protect? In all honesty though, using an .htaccess to implement a user/pass combo will be less work than a PHP based solution.
    @AnthonySterling: I'm a PHP developer, a consultant for oopnorth.com and the organiser of @phpne, a PHP User Group covering the North-East of England.

  4. #4
    I meant that to happen silver trophybronze trophy Raffles's Avatar
    Join Date
    Sep 2005
    Location
    Tanzania
    Posts
    4,662
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    I can't use CPanel because it's not my website. I'm just providing stuff to be installed on someone else's server. Also, the users with access are not static and can change all the time.

    The files are images, SWFs, FLVs, MP4s, PDFs and common MS Office files. They are for an institution where members are given a password to access this stuff. There are no usernames, just the passwords (this is what I've been told to do) so that people don't need an "account", just this password. None of the stuff is especially sensitive, they just don't want some of these directories to be crawled by Google or accessed directly if one of the members posts a link to the file somewhere.

    Modifying the .htaccess file with PHP would be easy enough to do. The problem is that I can't use those modal user/pass things. It has to be web based (i.e. HTML forms).

    Any ideas?

  5. #5
    Twitter: @AnthonySterling silver trophy AnthonySterling's Avatar
    Join Date
    Apr 2008
    Location
    North-East, UK.
    Posts
    6,111
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Ah, then maybe PHP is the way to go.

    Store all the media in a directory above webroot, then simply proxy the data through PHP. Simply create form, post it to a script to check the submitted password, if it matches start a session and store a value to indicated they are authorised.

    You then create a script to send the file to the user if they have this session variable, if not, send 'em to the login form.

    script.php?file=media/flv/grannydances.flv

    For example.
    @AnthonySterling: I'm a PHP developer, a consultant for oopnorth.com and the organiser of @phpne, a PHP User Group covering the North-East of England.

  6. #6
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,097
    Mentioned
    448 Post(s)
    Tagged
    8 Thread(s)
    This is also an easy thing to do with a CMS, where all the functionality is built in. The site owner can then just assign privileges via a web interface in their control panel. Is a CMS an option?
    Facebook | Google+ | Twitter | Web Design Tips | Free Contact Form

    Forum Usage: Tips on posting code samples, images and more

    Forrest Gump: "IE is like a box of chocolates: you never know what you're gonna get."

  7. #7
    Twitter: @AnthonySterling silver trophy AnthonySterling's Avatar
    Join Date
    Apr 2008
    Location
    North-East, UK.
    Posts
    6,111
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    login.php
    PHP Code:
    <?php
    define
    ('PASSWORD''Sup3r53cretP@ssw0rd');

    function 
    redirect($url){
      
    header("Location: $url");
      exit;
    }

    if(
    true == empty($_POST['password']) || PASSWORD !== $_POST['password']){
      
    redirect('http://www.example.org/login.html');
    }

    session_start();
    $_SESSION['authorised'] = true;
    session_write_close();
    redirect('http://www.example.org/filelist.html');
    @AnthonySterling: I'm a PHP developer, a consultant for oopnorth.com and the organiser of @phpne, a PHP User Group covering the North-East of England.

  8. #8
    I meant that to happen silver trophybronze trophy Raffles's Avatar
    Join Date
    Sep 2005
    Location
    Tanzania
    Posts
    4,662
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    I was thinking this might be the way to go, but I was concerned about uglifying the URLs. Ralph, the CMS is not an option - this is basically a mini-CMS (only a few specific functions).
    Quote Originally Posted by AnthonySterling View Post

    script.php?file=media/flv/grannydances.flv

    For example.
    But to stop someone copying the media/flv/grannydances.flv bit into the address bar and hitting enter, I'd still have to add htaccess rules restricting direct access to those directories, right?

    I'm still a little confused. Suppose someone bangs http://example.com/media/meerkat.jpg into their browser. It's in a directory that needs the password. Surely I still need .htaccess to redirect any requests for that directory and its contents to the PHP script that finds out if the user is logged in or not?

  9. #9
    Twitter: @AnthonySterling silver trophy AnthonySterling's Avatar
    Join Date
    Apr 2008
    Location
    North-East, UK.
    Posts
    6,111
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Yep, same thing really; just nicer urls.
    @AnthonySterling: I'm a PHP developer, a consultant for oopnorth.com and the organiser of @phpne, a PHP User Group covering the North-East of England.

  10. #10
    I meant that to happen silver trophybronze trophy Raffles's Avatar
    Join Date
    Sep 2005
    Location
    Tanzania
    Posts
    4,662
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    I edited my previous post BTW.

    Writing to .htaccess wouldn't happen often so I think it's an OK solution. Thanks for your help chaps!

    EDIT:

    Another thing... is the performance hit for routing every file request through a script anything to be concernet about?

  11. #11
    Twitter: @AnthonySterling silver trophy AnthonySterling's Avatar
    Join Date
    Apr 2008
    Location
    North-East, UK.
    Posts
    6,111
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Regarding access, the files are impossible to access via a browser because they exist outside of webroot. So they literally have no path to 'figure out' or browse to.

    The PHP script applies the logic and serves the file.

    Yes, performance can be an issue which is why I asked about the type of files being served. Just remember to use readfile and you should be OK.

    Why would you need to rewrite the .htaccess?
    @AnthonySterling: I'm a PHP developer, a consultant for oopnorth.com and the organiser of @phpne, a PHP User Group covering the North-East of England.

  12. #12
    I meant that to happen silver trophybronze trophy Raffles's Avatar
    Join Date
    Sep 2005
    Location
    Tanzania
    Posts
    4,662
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    I didn't really pick up on moving the files outside of the root, I stupidly thought you meant in a subdirectory.

    Unfortunately the files will have to be located in a subdir of the webroot, so it looks like I have to use htaccess after all.

  13. #13
    Twitter: @AnthonySterling silver trophy AnthonySterling's Avatar
    Join Date
    Apr 2008
    Location
    North-East, UK.
    Posts
    6,111
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Heh.

    So you'll be implementing an .htpasswd then ?
    @AnthonySterling: I'm a PHP developer, a consultant for oopnorth.com and the organiser of @phpne, a PHP User Group covering the North-East of England.

  14. #14
    I meant that to happen silver trophybronze trophy Raffles's Avatar
    Join Date
    Sep 2005
    Location
    Tanzania
    Posts
    4,662
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Sort of I suppose. But I can't use the AuthUserFile stuff because it all has to be done via HTML forms...

    I never thought something like this would involve such difficulty. It's like what I want to achieve can be done in so many ways, but with one caveat in each case.

  15. #15
    Twitter: @AnthonySterling silver trophy AnthonySterling's Avatar
    Join Date
    Apr 2008
    Location
    North-East, UK.
    Posts
    6,111
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Why not use the PHP approach, but lock down the file directory with a simple .htaccess ?
    @AnthonySterling: I'm a PHP developer, a consultant for oopnorth.com and the organiser of @phpne, a PHP User Group covering the North-East of England.

  16. #16
    I meant that to happen silver trophybronze trophy Raffles's Avatar
    Join Date
    Sep 2005
    Location
    Tanzania
    Posts
    4,662
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Yeah, I think that's what I'm going to do. Thanks for your patience!

  17. #17
    Twitter: @AnthonySterling silver trophy AnthonySterling's Avatar
    Join Date
    Apr 2008
    Location
    North-East, UK.
    Posts
    6,111
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Great. No problem, just let me know if you get stuck; I'm PM ScallioXTX.
    @AnthonySterling: I'm a PHP developer, a consultant for oopnorth.com and the organiser of @phpne, a PHP User Group covering the North-East of England.

  18. #18
    SitePoint Member
    Join Date
    Apr 2011
    Posts
    8
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    mod_auth is what you need ( .htuser / .htpasswd )


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •