I’ve built a ‘members’ area’ on a web site http://www.holidaymull.co.uk, complete with login. Members linking to the member area from the site are required to log in, and that works OK.
Much of the material is archive stuff (newsletters, committee minutes, etc) and sometimes it’s convenient to give members the direct URL link to one of these items. Trouble is that by-passes the login, so anyone can follow the link and from there get to the rest of the member area. There’s nothing there of huge risk, but it seems a bad idea in principle.
I want to find a way that anyone not logged in is referred back to the login page if they try to follow one of the direct links. I’ve tried a re-direct (.htaccess), but that hasn’t worked for a wild-card directory name (e.g. http://www.holidaymull.co.uk/members/*), so short of providing a redirect for every page, that doesn’t seem the way to go.
Because the material is mostly archive stuff, or PDFs it’s not convenient to put some code at the top of every file to enforce login.
None of my books deal with this situation. Can anyone tell me how to resolve it, please ?
Thanks, Felgall. I’ll give that a try and let you know how I get on.
I use the following PHP to pull the PDFs from a location not accessible from the web.
ini_set('zlib.output_compression','Off');
header("Pragma: public");
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
header("Cache-Control: must-revalidate");
header('Content-type: application/pdf');
header('Content-Disposition: inline; filename="'.$pdf.'"');
header('Content-Length: ' . filesize("$path/$pdf"));
readfile("$path/$pdf");
You can add whatever extra PHP code above it to control who has access to the PDF and need simply set the $path and $pdf values before running this code for those who you do want to allow access. Most of the headers are there to avoid problems with Internet Explorer.
Thank you Oddz and Felgall.
I was hoping for some .htaccess voodoo, too. But I didn’t find it.
Putting the files above the root will make them more secure, but it precludes having a link to them directly. I knew what I wanted to do might be difficult. The consensus so far is that it’s just not possible.
How do I put code at the top of a PDF document, please ?
To avoid bypassing the login you need code at the top of each page that tests if the person is logged in and redirects them to the login page if they are not logged in.
You can use a session to pass information between pages that allows you to determine if the person is logged in. The way I do it is to generate a token containing a fairly long string of essentially random characters which is stored in the database in the record containing their userid and password when they log in. That same token is also passed between pages usung a session and each page starts out by testing if a record with that token exists in the database. The tokens are deleted from the database when they log out or after two hours.
For maximum security you would need to store the files outside the site root and serve them up through a script that is able to check the users privileges. Perhaps there is is some htaccess vodoo to achieve what you would like but ultimately the most reliable solution will be to place them outside of public access.
Thank you, I know of the Zend framework, and I’ll check it out.
However, I have a login system that does what you describe except it only allocates access at one level. I’m hoping to avoid having to put a code header on every page, because they are archive copies of meeting minutes and other boring stuff, many of them are PDFs. If it weren’t for that I’d not have a problem.
I was hoping there would be a way to redirect (or intercept) any URL pointing to a file in the ‘member’ directory (or in a sub-directory below it) so that the controller script (/member/index.php’) was called. It could then check that the visitor was logged in, and only then allow the URL to be loaded. But perhaps this isn’t possible ?
ramasaig
This should be part of the security framework for your site. It’d fall into 2 components: authentication & an access control list. The former makes sure a site visitor is a given user in your system i.e via matching user-name / password while the later assigns access to different site resources e.g pages, nodes, files to specific roles / groups & a given authenticated user may belong to several of these roles / groups (authorization).
I’d suggest using the Zend Framework Zend_Auth & Zend_ACL components
Using these two components you could include, as part of the code header for every page the few dozen lines to check whether a user is authenticated & ultimately authorized to access a particular site resource.
There is a learning curve on using any framework, and Zend is no exception. But it does have a huge pay off.
Al