restriction to directly accessing any file by typing in the address bar

I will like to restrict access to a certain directory on my webserver if users directly access any file by typing in the address bar.i will like only privilege users to be able to do that by clicking a link.
how do i achieve this with php
woleraymondAsked:
Who is Participating?
 
paradoxengineConnect With a Mentor Commented:
Well, the question is somewhat unclear so we need more informations. Anyway...
You could achieve directory security using apache basic authentication, but that will not help with clicking vs typing.
This is how I'd do that.
1- Create a "grant access.php" file. Do your authentication stuff there: if a user authenticates then put in session something like "authok".
2- In every and each php file you want to protect, add something like if(empty($_SESSION['authok']) die("AUTH REQUIRED"). Note this won't help you with images and such, and once the user has authenticated he will be able to access anyfile without clicking.

To achieve exactly what you want, you'd have to a random Token to the session at each click, then redirect the user to the page, and in the page consume the token.
Like : grantaccess.php -> Is the user authenticated? If so, generate token, put into session, redirect user to PAGEX.php -> delete token. If there's no token,  deny access.
This way the user will only be able to access the page one time and only clicking on the link.
0
 
woleraymondAuthor Commented:
hi,
i am actually protecting pdf documents in the directory
0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
GEM100Connect With a Mentor Commented:
Create a directory which noone will know about, and disable file listing for that directory:
http://www.javascriptkit.com/howto/htaccess11.shtml
Make sure directory name can not be guessed either, make it something like /pdfs5464243589/

Then make a PHP script which will download files based on file name, file name will be passed to the PHP script via $_GET vars, e.g.:
pdfdlscript.php?myfile=myfile.pdf

Then "pdfdlscript.php" will take a file from your directory and pass it to user to view/doanload. Directory name "/pdfs5464243589/" can be placed within the PHP code, and this PHP code will grab the file based on $_GET[myfile] variable. This PHP file will also take care of user authentication (e.g. via user session). So it will not give file download if someone types
http://www.domain.com/pdfdlscript.php?myfile=myfile.pdf
in the browser directly, but will allow it if user is logged in.
0
 
lunadlConnect With a Mentor Commented:
You need to create a newcustom http handler for the files and serve them from a server page
0
 
OscurochuConnect With a Mentor Commented:
check for a referer. deny all users that do not have a referer, deny users from refering urls that you do not aprove of.

0
 
GEM100Commented:
Oscurochu: I disagree, some versions of antivirus totally block referer, and referer can be faked on client side easily.
0
 
Neil_SmithlineConnect With a Mentor Commented:
I'm sorry but I can't go for the referer solution or the complex directory name solution. The referer solution is bad for many reasons (briefly touched upon above), but mostly because the client fills in the referer link. You can never trust the client. One must always view the client as a brilliant and diabolical opponent who would be smart enough to forge a referer link.

As for the random directory name. I think that solution works but should someone somehow get that directory name, then all security is gone. This is essentially proposing "security by obscurity", a weak solution, at best.

paradoxengine's second solution seems along the right track. A "secure" random token stored in the server should be pretty tight. Adding a timeout on the token will make it even tighter. That way you can reduce user's from accessing the links page, visiting other pages, and then entering one of these extra-secure URLs directly as the random token will have timed out. A timeout on the order of a few minutes might be reasonable.

Another variant is to store data in hidden fields on the links page and have clicking the link actually submit a form. I think the data you need in the hidden fields is the sessionID, a timeout time, the page or pages they have access to, and a signature that signs all of the hidden fields along with a random number that is only stored in the user's session on the server  (the random number ensures that the user cannot spoof the signature).

There probably are other ways to do this, but one thing I'm wondering is why do you wish to do this? It seems so un-web-like.

- Neil
0
 
ahoffmannConnect With a Mentor Commented:
> .. like to restrict access to a certain directory on my webserver if users directly access any file by typing in the address bar.

I guess you're just talking about the files in the directory, not the directory itself, not to be access by direct URL. Otherwhise the only solution is: don't publish ;-)

Said this, I'd do it as follows:
1. create your directory in the web server containing the pdf files, this directory must not be accessable through URL (either outside DocumentRoot, or access restrictions)
2. write a .php script doing your authentication and accepting a parameter for the final file to be retrived
3. the .php  described in 2. delivers requested files only if the user credentials match, then files are fetched from 1. and send to client
 
0
 
Neil_SmithlineCommented:
Ahoffman,

How does your solution prevent access to the files by direct typing or bookmarking of the link? I think that is what is being requested here.

Also, can't you effectively prohibit access to a directory by including an index.php that redirects to an error page (could even be a 401: unauthenticated, a 403: unauthorized, or a 404: file not found). That still leaves you with protecting the files themselves but there have already been a few solutions for that.

- Neil
0
 
woleraymondAuthor Commented:
pls go ahead with the solutions
0
 
lunadlCommented:
There are ways of accomplishing this with custom httphandlers, requiring server side additions to make file content different, or by retrieving the file from a directory on your server that is not publicly serving to the web and writing the contents out. Do you have access to your server or is it hosted third party?
0
 
lunadlCommented:
Also, are you against having the file entirely in a database? If not, you can read the contents of the file from the database on each request of a file. At that point you can do all the server-side authentication you want to make sure the user is who they say they are.
0
 
ahoffmannCommented:
> How does your solution prevent access to the files by direct typing or bookmarking of the link?
see 1. "outside DocumentRoot" in http:#19545326

> pls go ahead with the solutions
what's wrong with mine?
0
 
lunadlCommented:
@hoffman
try it out ahoffman, you will be able to link to files that aren't handle by your http, like images. the directory is secure because it server files are protected from access.
That is why the solution has to come from a type of file that the server handles.
If the files cannot be put into a database then the solution will need to be a little more difficult to implement. If the files can be stored in a database then you can protect a single page that authenticates a request then streams/writes the file dynamically from the database to the user.


0
 
ahoffmannCommented:
lunadl, not sure what you want to tell me
But lets wait 'til the questioner responds to the suggestions.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.