Question

restriction to directly accessing any file by typing in the address bar

Asked by: woleraymond

I will like to restrict access to a certain directory on my webserver if users directly access any file by typing in the address bar.i will like only privilege users to be able to do that by clicking a link.
how do i achieve this with php

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2007-07-22 at 03:26:22ID22712361
Tags

access

,

address

,

bar

,

directly

,

file

Topics

PHP Scripting Language

,

Miscellaneous Web Development

,

WebApplications

Participating Experts
7
Points
500
Comments
18

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. restricted access to files
    Hi, Experts I am new to PHP but volunteered to work on websites for non-profit org, the tech environment is IIS, PHP and MySQL. I need to restrict access(members only) to some certain files in a directory, how do I achieve this? do I need to do programming or IIS has s...
  2. Restricting Privileges to Administrators
    Hi All, Currently we have over 25 domain administrators in our network. Some of them (e.g. Service desk) have been granted this privilege for the purpose of resetting passwords, unlocking users etc. The Network Manager claims that their access cannot be restricted and t...
  3. .htaccess restriction
    Hey Experts I had a thought and I'm not quite sure how i would go about implementing a possible solution. I would like to setup a .htaccess file on my website that showed a "construction page" (/construction.html) but still allow me to setup and configure my CMS...
  4. How to restrict export privileges to required objects
    Hi, This is a rather simple question, but am posting this for some innovative suggestions: In oracle, exp_full_database role provides privileges to export tables belonging to a different schema. But in a production system, where there are restrictions imposed on which t...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: paradoxenginePosted on 2007-07-22 at 04:00:45ID: 19542244

Well, the question is somewhat unclear so we need more informations. Anyway...
You could achieve directory security using apache basic authentication, but that will not help with clicking vs typing.
This is how I'd do that.
1- Create a "grant access.php" file. Do your authentication stuff there: if a user authenticates then put in session something like "authok".
2- In every and each php file you want to protect, add something like if(empty($_SESSION['authok']) die("AUTH REQUIRED"). Note this won't help you with images and such, and once the user has authenticated he will be able to access anyfile without clicking.

To achieve exactly what you want, you'd have to a random Token to the session at each click, then redirect the user to the page, and in the page consume the token.
Like : grantaccess.php -> Is the user authenticated? If so, generate token, put into session, redirect user to PAGEX.php -> delete token. If there's no token,  deny access.
This way the user will only be able to access the page one time and only clicking on the link.

 

by: woleraymondPosted on 2007-07-22 at 04:10:17ID: 19542261

hi,
i am actually protecting pdf documents in the directory

 

by: hernst42Posted on 2007-07-22 at 04:37:29ID: 19542303

 

by: GEM100Posted on 2007-07-22 at 04:38:09ID: 19542306

Create a directory which noone will know about, and disable file listing for that directory:
http://www.javascriptkit.com/howto/htaccess11.shtml
Make sure directory name can not be guessed either, make it something like /pdfs5464243589/

Then make a PHP script which will download files based on file name, file name will be passed to the PHP script via $_GET vars, e.g.:
pdfdlscript.php?myfile=myfile.pdf

Then "pdfdlscript.php" will take a file from your directory and pass it to user to view/doanload. Directory name "/pdfs5464243589/" can be placed within the PHP code, and this PHP code will grab the file based on $_GET[myfile] variable. This PHP file will also take care of user authentication (e.g. via user session). So it will not give file download if someone types
http://www.domain.com/pdfdlscript.php?myfile=myfile.pdf
in the browser directly, but will allow it if user is logged in.

 

by: lunadlPosted on 2007-07-22 at 07:00:01ID: 19542632

You need to create a newcustom http handler for the files and serve them from a server page

 

by: OscurochuPosted on 2007-07-22 at 11:26:08ID: 19543396

check for a referer. deny all users that do not have a referer, deny users from refering urls that you do not aprove of.

 

by: GEM100Posted on 2007-07-22 at 15:20:30ID: 19543927

Oscurochu: I disagree, some versions of antivirus totally block referer, and referer can be faked on client side easily.

 

by: Neil_SmithlinePosted on 2007-07-22 at 19:11:43ID: 19544596

I'm sorry but I can't go for the referer solution or the complex directory name solution. The referer solution is bad for many reasons (briefly touched upon above), but mostly because the client fills in the referer link. You can never trust the client. One must always view the client as a brilliant and diabolical opponent who would be smart enough to forge a referer link.

As for the random directory name. I think that solution works but should someone somehow get that directory name, then all security is gone. This is essentially proposing "security by obscurity", a weak solution, at best.

paradoxengine's second solution seems along the right track. A "secure" random token stored in the server should be pretty tight. Adding a timeout on the token will make it even tighter. That way you can reduce user's from accessing the links page, visiting other pages, and then entering one of these extra-secure URLs directly as the random token will have timed out. A timeout on the order of a few minutes might be reasonable.

Another variant is to store data in hidden fields on the links page and have clicking the link actually submit a form. I think the data you need in the hidden fields is the sessionID, a timeout time, the page or pages they have access to, and a signature that signs all of the hidden fields along with a random number that is only stored in the user's session on the server  (the random number ensures that the user cannot spoof the signature).

There probably are other ways to do this, but one thing I'm wondering is why do you wish to do this? It seems so un-web-like.

- Neil

 

by: ahoffmannPosted on 2007-07-22 at 23:04:49ID: 19545326

> .. like to restrict access to a certain directory on my webserver if users directly access any file by typing in the address bar.

I guess you're just talking about the files in the directory, not the directory itself, not to be access by direct URL. Otherwhise the only solution is: don't publish ;-)

Said this, I'd do it as follows:
1. create your directory in the web server containing the pdf files, this directory must not be accessable through URL (either outside DocumentRoot, or access restrictions)
2. write a .php script doing your authentication and accepting a parameter for the final file to be retrived
3. the .php  described in 2. delivers requested files only if the user credentials match, then files are fetched from 1. and send to client
 

 

by: Neil_SmithlinePosted on 2007-07-23 at 06:30:55ID: 19547164

Ahoffman,

How does your solution prevent access to the files by direct typing or bookmarking of the link? I think that is what is being requested here.

Also, can't you effectively prohibit access to a directory by including an index.php that redirects to an error page (could even be a 401: unauthenticated, a 403: unauthorized, or a 404: file not found). That still leaves you with protecting the files themselves but there have already been a few solutions for that.

- Neil

 

by: woleraymondPosted on 2007-07-23 at 06:39:30ID: 19547236

pls go ahead with the solutions

 

by: lunadlPosted on 2007-07-23 at 06:59:19ID: 19547413

There are ways of accomplishing this with custom httphandlers, requiring server side additions to make file content different, or by retrieving the file from a directory on your server that is not publicly serving to the web and writing the contents out. Do you have access to your server or is it hosted third party?

 

by: lunadlPosted on 2007-07-23 at 07:20:48ID: 19547610

Also, are you against having the file entirely in a database? If not, you can read the contents of the file from the database on each request of a file. At that point you can do all the server-side authentication you want to make sure the user is who they say they are.

 

by: ahoffmannPosted on 2007-07-23 at 07:29:31ID: 19547715

> How does your solution prevent access to the files by direct typing or bookmarking of the link?
see 1. "outside DocumentRoot" in http:#19545326

> pls go ahead with the solutions
what's wrong with mine?

 

by: lunadlPosted on 2007-07-23 at 08:28:47ID: 19548357

@hoffman
try it out ahoffman, you will be able to link to files that aren't handle by your http, like images. the directory is secure because it server files are protected from access.
That is why the solution has to come from a type of file that the server handles.
If the files cannot be put into a database then the solution will need to be a little more difficult to implement. If the files can be stored in a database then you can protect a single page that authenticates a request then streams/writes the file dynamically from the database to the user.


 

by: ahoffmannPosted on 2007-07-24 at 00:01:06ID: 19553962

lunadl, not sure what you want to tell me
But lets wait 'til the questioner responds to the suggestions.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...