[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

restriction to directly accessing any file by typing in the address bar

Posted on 2007-07-22
18
Medium Priority
?
420 Views
Last Modified: 2008-06-21
I will like to restrict access to a certain directory on my webserver if users directly access any file by typing in the address bar.i will like only privilege users to be able to do that by clicking a link.
how do i achieve this with php
0
Comment
Question by:woleraymond
  • 4
  • 3
  • 2
  • +5
16 Comments
 
LVL 9

Accepted Solution

by:
paradoxengine earned 296 total points
ID: 19542244
Well, the question is somewhat unclear so we need more informations. Anyway...
You could achieve directory security using apache basic authentication, but that will not help with clicking vs typing.
This is how I'd do that.
1- Create a "grant access.php" file. Do your authentication stuff there: if a user authenticates then put in session something like "authok".
2- In every and each php file you want to protect, add something like if(empty($_SESSION['authok']) die("AUTH REQUIRED"). Note this won't help you with images and such, and once the user has authenticated he will be able to access anyfile without clicking.

To achieve exactly what you want, you'd have to a random Token to the session at each click, then redirect the user to the page, and in the page consume the token.
Like : grantaccess.php -> Is the user authenticated? If so, generate token, put into session, redirect user to PAGEX.php -> delete token. If there's no token,  deny access.
This way the user will only be able to access the page one time and only clicking on the link.
0
 

Author Comment

by:woleraymond
ID: 19542261
hi,
i am actually protecting pdf documents in the directory
0
 
LVL 48

Assisted Solution

by:hernst42
hernst42 earned 284 total points
ID: 19542303
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 8

Assisted Solution

by:GEM100
GEM100 earned 284 total points
ID: 19542306
Create a directory which noone will know about, and disable file listing for that directory:
http://www.javascriptkit.com/howto/htaccess11.shtml
Make sure directory name can not be guessed either, make it something like /pdfs5464243589/

Then make a PHP script which will download files based on file name, file name will be passed to the PHP script via $_GET vars, e.g.:
pdfdlscript.php?myfile=myfile.pdf

Then "pdfdlscript.php" will take a file from your directory and pass it to user to view/doanload. Directory name "/pdfs5464243589/" can be placed within the PHP code, and this PHP code will grab the file based on $_GET[myfile] variable. This PHP file will also take care of user authentication (e.g. via user session). So it will not give file download if someone types
http://www.domain.com/pdfdlscript.php?myfile=myfile.pdf
in the browser directly, but will allow it if user is logged in.
0
 
LVL 12

Assisted Solution

by:lunadl
lunadl earned 284 total points
ID: 19542632
You need to create a newcustom http handler for the files and serve them from a server page
0
 
LVL 5

Assisted Solution

by:Oscurochu
Oscurochu earned 284 total points
ID: 19543396
check for a referer. deny all users that do not have a referer, deny users from refering urls that you do not aprove of.

0
 
LVL 8

Expert Comment

by:GEM100
ID: 19543927
Oscurochu: I disagree, some versions of antivirus totally block referer, and referer can be faked on client side easily.
0
 
LVL 1

Assisted Solution

by:Neil_Smithline
Neil_Smithline earned 284 total points
ID: 19544596
I'm sorry but I can't go for the referer solution or the complex directory name solution. The referer solution is bad for many reasons (briefly touched upon above), but mostly because the client fills in the referer link. You can never trust the client. One must always view the client as a brilliant and diabolical opponent who would be smart enough to forge a referer link.

As for the random directory name. I think that solution works but should someone somehow get that directory name, then all security is gone. This is essentially proposing "security by obscurity", a weak solution, at best.

paradoxengine's second solution seems along the right track. A "secure" random token stored in the server should be pretty tight. Adding a timeout on the token will make it even tighter. That way you can reduce user's from accessing the links page, visiting other pages, and then entering one of these extra-secure URLs directly as the random token will have timed out. A timeout on the order of a few minutes might be reasonable.

Another variant is to store data in hidden fields on the links page and have clicking the link actually submit a form. I think the data you need in the hidden fields is the sessionID, a timeout time, the page or pages they have access to, and a signature that signs all of the hidden fields along with a random number that is only stored in the user's session on the server  (the random number ensures that the user cannot spoof the signature).

There probably are other ways to do this, but one thing I'm wondering is why do you wish to do this? It seems so un-web-like.

- Neil
0
 
LVL 51

Assisted Solution

by:ahoffmann
ahoffmann earned 284 total points
ID: 19545326
> .. like to restrict access to a certain directory on my webserver if users directly access any file by typing in the address bar.

I guess you're just talking about the files in the directory, not the directory itself, not to be access by direct URL. Otherwhise the only solution is: don't publish ;-)

Said this, I'd do it as follows:
1. create your directory in the web server containing the pdf files, this directory must not be accessable through URL (either outside DocumentRoot, or access restrictions)
2. write a .php script doing your authentication and accepting a parameter for the final file to be retrived
3. the .php  described in 2. delivers requested files only if the user credentials match, then files are fetched from 1. and send to client
 
0
 
LVL 1

Expert Comment

by:Neil_Smithline
ID: 19547164
Ahoffman,

How does your solution prevent access to the files by direct typing or bookmarking of the link? I think that is what is being requested here.

Also, can't you effectively prohibit access to a directory by including an index.php that redirects to an error page (could even be a 401: unauthenticated, a 403: unauthorized, or a 404: file not found). That still leaves you with protecting the files themselves but there have already been a few solutions for that.

- Neil
0
 

Author Comment

by:woleraymond
ID: 19547236
pls go ahead with the solutions
0
 
LVL 12

Expert Comment

by:lunadl
ID: 19547413
There are ways of accomplishing this with custom httphandlers, requiring server side additions to make file content different, or by retrieving the file from a directory on your server that is not publicly serving to the web and writing the contents out. Do you have access to your server or is it hosted third party?
0
 
LVL 12

Expert Comment

by:lunadl
ID: 19547610
Also, are you against having the file entirely in a database? If not, you can read the contents of the file from the database on each request of a file. At that point you can do all the server-side authentication you want to make sure the user is who they say they are.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 19547715
> How does your solution prevent access to the files by direct typing or bookmarking of the link?
see 1. "outside DocumentRoot" in http:#19545326

> pls go ahead with the solutions
what's wrong with mine?
0
 
LVL 12

Expert Comment

by:lunadl
ID: 19548357
@hoffman
try it out ahoffman, you will be able to link to files that aren't handle by your http, like images. the directory is secure because it server files are protected from access.
That is why the solution has to come from a type of file that the server handles.
If the files cannot be put into a database then the solution will need to be a little more difficult to implement. If the files can be stored in a database then you can protect a single page that authenticates a request then streams/writes the file dynamically from the database to the user.


0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 19553962
lunadl, not sure what you want to tell me
But lets wait 'til the questioner responds to the suggestions.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article was originally published on Monitis Blog, you can check it here . Today it’s fairly well known that high-performing websites and applications bring in more visitors, higher SEO, and ultimately more sales. By the same token, downtime…
When it comes to security, close monitoring is a must. According to WhiteHat Security annual report, a substantial number of all web applications are vulnerable always. Monitis offers a new product - fully-featured Website security monitoring and pr…
This tutorial walks through the best practices in adding a local business to Google Maps including how to properly search for duplicates, marker placement, and inputing business details. Login to your Google Account, then search for "Google Mapmaker…
Use Wufoo, an online form creation tool, to make powerful forms. Learn how to choose which pages of your form are visible to your users based on their inputs. The page rules feature provides you with an opportunity to create if:then statements for y…
Suggested Courses
Course of the Month19 days, 9 hours left to enroll

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question