Link to home
Start Free TrialLog in
Avatar of Konstantin Krolikov
Konstantin KrolikovFlag for Israel

asked on

limit access

hello experts, i need to limit the access to files or directory to some users, and i have no idea how i do this.
im working with linux..

i want that only php page will have the access to get files from directory and if someone will search the file url he will get no access, he will get 403 error..

i have directory of messages, witch called messages.
i want to load file 4065. so i write on the url, http://localhost/messages/4065.txt - and i'll get the result, the content that was inside the file..
i want to make sure that only when user login, the php file will be the only one whom can access the messages directory or to the files inside..

how do i do this?
how i block from everyone to access folder and only some php files have access..

lot's of thanks ahead.. :)
Avatar of StingRaY
Flag of Thailand image

You can use cookies with .htaccess to control the access.

Once the user has logged in, grant an access cookie to the user, for example, named 'authorized'.

In .htaccess,

RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_COOKIE}	!authorized=([^;]+) [NC]
RewriteRule ^messages/.*$		/show403.php [PT,QSA,L]

Open in new window

The last line of code will be working only when no authorized cookie is found.
If you want a little bit friendlier way of talking to your clients, you might consider using PHP authentication.  This article shows the design pattern.

In any case, if you want good security place the files you want to protect outside of the WWW root directory.  Then casual web browsers cannot "accidentally" get to them.  Use an authenticated (access-controlled) PHP script to browse the external directory and present the files for your authorized clients.

Security is a multi-layered thing and fairly complicated (in fact, IT Security is a full-time four year college major at the University of Maryland) and it usually represents some kind of trade-off between convenience and secrecy.  Think about the big picture as you plan your security systems.  What do you want to protect? Nuclear launch codes, financial transactions, medical records, college transcripts, stock photos, bowling scores?  All of these have different security profiles and get different levels of protection.
My preference has always been to use password protection through .htaccess.  

That and a bunch of other options are covered HERE

Avatar of Konstantin Krolikov


i thought about putting the files out side the directory, the problem is, that they can get it by html code..
you can change the link location to the location that you want and then download, so i need better security..
if there is this link <a href="index.php">Home Page</a>
then the user can change the html code(simple to do) and write <a href="../Messages/1000.txt">Home Page</a> --> then he can download pretty much any thing he want.

as i said i need better way, i need somehow to block, and only if he logged in he have access, but not to every thing.. only to his messages.. :)

please help me, how do i block user to directory but let php import files from there..

agin, lots of thanks
Did you try my suggestion above? If yes, what is the flaw?
You can use the above solution as a guide to apply to your work.

What is it you want.  There is no magic.  The link I posted gives you a range of options. Pick one and we will help you implement it; but any option is going to require some work an cooperation on your part.

and your solution is good, but there are few problems..
1. i have no idea what do the code you write, i don't know how to use files, i don't know to write htaccess code..
2. my project have no cookies, i only use session and i'd like to keep it this way. :)

please help me, this solution is looking good, i just need you to teach me how to use or how to write htaccess code, or even give me a link to some guide..

thanks ahead... :)
Okay you can start by using this Password file generator

It is step by step and if you need help as you implement we will be here to help.

thanks that good, but agin that not what i need.
i want that only one php file will have the access to the directory, how do i do it?

let say i have page messages.php.
i want that he will be the only one that have access to the messages directory. all the others pages, blocked. and the directory blocked to any one... any ip..

is there any way to do this with htaccess file, because i know there is a way to block by ip, but can i allow to some pages?

tuns of thanks.. :)
Name the messages directory to something else, hard-to-guess name, for example, doB_4je01j32_boxfd8 or whatever, and store the messages in that directory. Then, use your messages.php to control and grant the access to the user.
Avatar of COBOLdinosaur
Flag of Canada image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ya.. that is exactly what i wanted..
thanks a lot, but it is not working, i deleted the space in the deny,allow and it is not working, if you can show me please how do i do this???
i changed the location, but it is still not working.. :(

just show me how do i apply this code..
order deny,allow
deny from all
allow from messages.php

Open in new window

i tried it ^^ and still not working, i tried to write the full path like this: http://localhost/messages.php
and same result..

lots of thanks.. really helpful :)
Which directory did you put the .htaccess file in?


in my messages directory.. y?
How are you testing to see what is denied?


i simply write the url and it is show me 500 error, it is because something in the htaccess file is not right.. if i can only fix that, i think i might work..

What do you mean write the the url?  what are using to go to the server.  A 500 error is a severe error that means that it could not carry out the request.


but the error happened only when i use the code you write, otherwise it working..
i want to do as you wrote it,
order allow,deny
allow from index.php
deny from all

Open in new window

that is example, how do i do that? how to make this code work?? thanks ahead
You not answering what I asked how are you sending the request to the server?

ahhh never mind, i managed to do that, but thanks a lot, i used the deny to all and simply when i want to import file i use the php code... include or to read file, but thanks man, i don't know way but when i looked at your code this idea came to me so thanks!!!