PHP, Session and protect folder

Posted on 2004-11-15
Last Modified: 2012-06-27
I made a small framework to let users here administrate small web info pages.

They can upload documents, images, and make some pages protected by folders. ALL DOCUMENTS ARE UPLOADED IN A SINGLE FOLDER FOR A USER (image for the public site, or private document).

To protect page, i add a Cookie/Session mechanism on page they choose to protect. The problem is that if a user decide to add security to a page, and in this page, put a link to a document (so a link to a document uploaded in the user folder), the PHP page is protected, but the link to the document should implicitely be protected too. Same for problem for IMAGES (<IMG>) inserted in this page. The IMG shouldn't be accessible if users are not authenfied.

Who could give me a solution, architecture to implement that kind of protection for a multiple user framework ? Thanks.
Question by:eeolivier
    LVL 48

    Expert Comment

    To do this its the best to use custom tags for such links of pictures and documents. like [img]imageame[/img]
    Then use
    $text = preg_replace('#\[img\]([^]]+)\[/img\]#iUe', "checkimg('\\1')", $text);

    in the function checkimg you implement the check to see if the current user has the right to view that image.
    function checkimg($name) {
       if (isEntiled() || strstr('public', $name)) {
           return "<img src='$name'>";
       } else {
           return '';

    Same is possible for other tags. You can also use the hrml-tags and parse them, but that regex is a little bit more difficult.

    Just my 2 cents how to do this.

    Author Comment

    Maybe i didn't explain well.

    In fact , if a user in a protected page put "<IMG SRC="http://localhost/images/toto.jpeg">", my cookie session system don't protect the http://localhost/images/toto.jpeg file, so in a browser I can type "http://localhost/images/toto.jpeg" and get the picture
    LVL 48

    Accepted Solution

    Do you have any information if such a file belongs to a private or public page or maybe both, except that such a link is referenced inside a page.

    If you have such information you might have a look at how files can be protected. I think you will need to rewrite parts of you application so the user decides on the upload if this file is public or private. Then you can check the file via such a script as given in that link if someone is allowed to get the file or not.
    LVL 20

    Assisted Solution

    if you have access to htaccess, then you can protect  the files in each directory.

    I've shown this solution elsewhere for other problems.

    Fundamentally, you set an htaccess file so that all access is natively denied
    but you use the errordocument function to have another php file check for access based on your own rules
    this in turn serves the page (either by processing with include() for php or by reading readfile() for non-php (JPG, etc))
    implementing it as multi-user just involves checking the permissions based on the directory path in conjunction with the user's rights.  

    To do this just parse the directory path and check for the rights that way.
    LVL 9

    Assisted Solution

    the other way is to rename the files:
    the user uploads image1.jpg
    your script stores image1.jpg with a random file name (osnduoifrno) and puts the random - real file name relation in a database.
    if somebody wants to retrieve image1.jpg, they cally your script
    and you script simply looks up the random file name in the database and sends it's contents by file_get_contents().
    If people cannot see a listing of your directory, they have no way of knowing the random file names.

    Assisted Solution

    As a mix of solutions offered by virmaior and _GeG_ you could use <a href="">mod_rewrite</a> to translate URL from:
    or whatever you like.
    getfile.php will check if user is authorised to retrieve file and will(or won't) output the file.
    LVL 48

    Expert Comment

    Split: hernst42 {http:#12583442} & virmaior {http:#12584387} & _GeG_ {http:#12585907} & sergio_ga {http:#12624972}
    LVL 9

    Expert Comment

    I was wondering last month why I had received so few points. Now I know, because the askers do not close the questions!
    Thanks mods for checking this!

    btw I agree with the split that hernst42 suggests.
    LVL 20

    Expert Comment

    Just a note -- I am not a Moderator but just a Cleanup Volunteer (and Page editor actually but in other areas) and Cleanup is a normal process -- in some areas slower in some areas faster but it is going on :)

    Thanks for the responses. They really help :)

    Featured Post

    Gigs: Get Your Project Delivered by an Expert

    Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

    Join & Write a Comment

    Suggested Solutions

    Title # Comments Views Activity
    Amazon Product image url. 12 28
    Joomla main HTML page 4 20
    Notice: Undefined variable 5 28
    check the Referer HTTP header? 16 17
    Foreword (July, 2015) Since I first wrote this article, years ago, a great many more people have begun using the internet.  They are coming online from every part of the globe, learning, reading, shopping and spending money at an ever-increasing ra…
    Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
    The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
    The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now