Using PHP to control file access in Apache
Hi Experts,
I was wondering if anyone has devised a way to use PHP to control the access of web accessible files in Apache? Is this even possible? I was thinking that htaccess would have to be used and PHP passes the arguments to it. Though from what I've read this looks pretty impossible to do without giving away the security information. Or am I looking at using PHP to manage an offline section of the server and pass all file downloads through a wrapper script?
Just looking for your insights into this problem.
Thanks,
Pete Hanson
UAR
I was wondering if anyone has devised a way to use PHP to control the access of web accessible files in Apache? Is this even possible? I was thinking that htaccess would have to be used and PHP passes the arguments to it. Though from what I've read this looks pretty impossible to do without giving away the security information. Or am I looking at using PHP to manage an offline section of the server and pass all file downloads through a wrapper script?
Just looking for your insights into this problem.
Thanks,
Pete Hanson
UAR
Not quite sure what "impossible without giving away the security information" means - there are tons of online resource storage applications written in PHP that secure access to files.
A couple of ways I see it done is:
1. Use mod_rewrite in Apache to pass all requests for files in a specific directory to a PHP script that would perform authentication, then send the requested file using fpassthru() - simple to set up however if your files are very diverse in types you'll have to create the content-type headers yourself and you'll need to take care of all possible MIME-types.
2. Let PHP control .htaccess / mod_auth - doable, but kind of horse behind the carriage solution ;)
3. Use something like mod_auth_pgsql or mod_auth_mysql and control the user databases from PHP - logically very much like #2 but a bit more secure.
A couple of ways I see it done is:
1. Use mod_rewrite in Apache to pass all requests for files in a specific directory to a PHP script that would perform authentication, then send the requested file using fpassthru() - simple to set up however if your files are very diverse in types you'll have to create the content-type headers yourself and you'll need to take care of all possible MIME-types.
2. Let PHP control .htaccess / mod_auth - doable, but kind of horse behind the carriage solution ;)
3. Use something like mod_auth_pgsql or mod_auth_mysql and control the user databases from PHP - logically very much like #2 but a bit more secure.
ASKER
Thanks for you comments.
m1tk4, do you have any references your first idea? That sounds more like what I may want to do.
Our system already has a rich tool set to manage files in webspace (CMS system). Ideally I could set up "protected" folders where files could go that would then pass through some form of PHP authentication. mod_rewrite may be the answer there.
m1tk4, do you have any references your first idea? That sounds more like what I may want to do.
Our system already has a rich tool set to manage files in webspace (CMS system). Ideally I could set up "protected" folders where files could go that would then pass through some form of PHP authentication. mod_rewrite may be the answer there.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
m1tk4, thanks the links. I'm guessing then I'd have to use .htaccess files to protect the folder then for normal access, correct? Would that have an impact on the mod_rewrite? I should have some time to test this solution out today.
Apache's mod_rewrite is controlled with .htaccess directives (RewriteEngine, RewriteRule), you're writing them within .htaccess.
Is this the thing you wanted to know?
Is this the thing you wanted to know?
Any authentication you would do for those folders would go on top of your PHP application. What you could do is move your file storage outside the web root altogether - for mod_rewrite purposes /filestore/protectedfiles does not have to exist at all.
ASKER
The mod_rewrite solution worked great. How secure is this set up? Do I need to worry about tricks to get around the rewrite rule? Any other precautions I should take?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi The Blasted One,
Thanks for the checks. I've got a pretty decent folder and file classes built that do quite a bit of verification that nothing tricky is being done with file parameters (as these are used for web based file manager too). Good call on the . file access through the input var through, I'll check that, as I'm not sure on it.
Thanks for the help and you too m1tk4
Thanks for the checks. I've got a pretty decent folder and file classes built that do quite a bit of verification that nothing tricky is being done with file parameters (as these are used for web based file manager too). Good call on the . file access through the input var through, I'll check that, as I'm not sure on it.
Thanks for the help and you too m1tk4
- You can restrict the access by editing htaccess/htpasswd directly, by your hand.
- You can edit htaccess/htpasswd with your php script (I see here no penalty to your security, if your script has no vulnerabilities that can give hacker a way to access your htaccess/htpasswd)
- You can manage all the access with your script (yes, wrapping the downloads with php). But make sure you've restricted the access to the directory where files are stored with htaccess.
- Or you can place that directory above the website root directory, so it can be accessed with local php wrapper script and cannot be accessed from the web.