limit access

hello experts, i need to limit the access to files or directory to some users, and i have no idea how i do this.
im working with linux..

i want that only php page will have the access to get files from directory and if someone will search the file url he will get no access, he will get 403 error..

example:
i have directory of messages, witch called messages.
i want to load file 4065. so i write on the url, http://localhost/messages/4065.txt - and i'll get the result, the content that was inside the file..
i want to make sure that only when user login, the php file will be the only one whom can access the messages directory or to the files inside..

how do i do this?
how i block from everyone to access folder and only some php files have access..

lot's of thanks ahead.. :)
LVL 3
Konstantin KrolikovAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

StingRaYCommented:
You can use cookies with .htaccess to control the access.

Once the user has logged in, grant an access cookie to the user, for example, named 'authorized'.

In .htaccess,


RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_COOKIE}	!authorized=([^;]+) [NC]
RewriteRule ^messages/.*$		/show403.php [PT,QSA,L]

Open in new window



The last line of code will be working only when no authorized cookie is found.
0
Ray PaseurCommented:
If you want a little bit friendlier way of talking to your clients, you might consider using PHP authentication.  This article shows the design pattern.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html

In any case, if you want good security place the files you want to protect outside of the WWW root directory.  Then casual web browsers cannot "accidentally" get to them.  Use an authenticated (access-controlled) PHP script to browse the external directory and present the files for your authorized clients.

Security is a multi-layered thing and fairly complicated (in fact, IT Security is a full-time four year college major at the University of Maryland) and it usually represents some kind of trade-off between convenience and secrecy.  Think about the big picture as you plan your security systems.  What do you want to protect? Nuclear launch codes, financial transactions, medical records, college transcripts, stock photos, bowling scores?  All of these have different security profiles and get different levels of protection.
0
COBOLdinosaurCommented:
My preference has always been to use password protection through .htaccess.  

That and a bunch of other options are covered HERE



Cd&
0
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

Konstantin KrolikovAuthor Commented:
i thought about putting the files out side the directory, the problem is, that they can get it by html code..
you can change the link location to the location that you want and then download, so i need better security..
example:
if there is this link <a href="index.php">Home Page</a>
then the user can change the html code(simple to do) and write <a href="../Messages/1000.txt">Home Page</a> --> then he can download pretty much any thing he want.

as i said i need better way, i need somehow to block, and only if he logged in he have access, but not to every thing.. only to his messages.. :)

please help me, how do i block user to directory but let php import files from there..

agin, lots of thanks
0
StingRaYCommented:
Did you try my suggestion above? If yes, what is the flaw?
You can use the above solution as a guide to apply to your work.
0
COBOLdinosaurCommented:
Puzatiy,

What is it you want.  There is no magic.  The link I posted gives you a range of options. Pick one and we will help you implement it; but any option is going to require some work an cooperation on your part.

Cd&
0
Konstantin KrolikovAuthor Commented:
and your solution is good, but there are few problems..
1. i have no idea what do the code you write, i don't know how to use files, i don't know to write htaccess code..
2. my project have no cookies, i only use session and i'd like to keep it this way. :)

please help me, this solution is looking good, i just need you to teach me how to use or how to write htaccess code, or even give me a link to some guide..

thanks ahead... :)
0
COBOLdinosaurCommented:
Okay you can start by using this Password file generator

It is step by step and if you need help as you implement we will be here to help.


Cd&
0
Konstantin KrolikovAuthor Commented:
thanks that good, but agin that not what i need.
i want that only one php file will have the access to the directory, how do i do it?

let say i have page messages.php.
i want that he will be the only one that have access to the messages directory. all the others pages, blocked. and the directory blocked to any one... any ip..

is there any way to do this with htaccess file, because i know there is a way to block by ip, but can i allow to some pages?

tuns of thanks.. :)
0
StingRaYCommented:
Name the messages directory to something else, hard-to-guess name, for example, doB_4je01j32_boxfd8 or whatever, and store the messages in that directory. Then, use your messages.php to control and grant the access to the user.
0
COBOLdinosaurCommented:
I think we have been coming at this the wrong way.  You just want to block access unless they are coming from a local page I think. So the htaccess file needs to be:

order deny, allow
deny from all
allow from http://yourdomain.com/path/*

Open in new window


If that is not what you are looking for then either we do not understand your request, or what you are asking for is not possible. We have offered all the alternatives. If this is not what you want then please explain exactly what you want in clear specific terms.

Cd&
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Konstantin KrolikovAuthor Commented:
ya.. that is exactly what i wanted..
thanks a lot, but it is not working, i deleted the space in the deny,allow and it is not working, if you can show me please how do i do this???
i changed the location, but it is still not working.. :(

just show me how do i apply this code..
order deny,allow
deny from all
allow from messages.php

Open in new window

i tried it ^^ and still not working, i tried to write the full path like this: http://localhost/messages.php
and same result..

lots of thanks.. really helpful :)
0
COBOLdinosaurCommented:
Which directory did you put the .htaccess file in?


Cd&

0
Konstantin KrolikovAuthor Commented:
in my messages directory.. y?
0
COBOLdinosaurCommented:
How are you testing to see what is denied?

Cd&

0
Konstantin KrolikovAuthor Commented:
i simply write the url and it is show me 500 error, it is because something in the htaccess file is not right.. if i can only fix that, i think i might work..

thanks..
0
COBOLdinosaurCommented:
What do you mean write the the url?  what are using to go to the server.  A 500 error is a severe error that means that it could not carry out the request.


Cd&

0
Konstantin KrolikovAuthor Commented:
but the error happened only when i use the code you write, otherwise it working..
i want to do as you wrote it,
order allow,deny
allow from index.php
deny from all

Open in new window

that is example, how do i do that? how to make this code work?? thanks ahead
0
COBOLdinosaurCommented:
You not answering what I asked how are you sending the request to the server?


Cd&
0
Konstantin KrolikovAuthor Commented:
ahhh never mind, i managed to do that, but thanks a lot, i used the deny to all and simply when i want to import file i use the php code... include or to read file, but thanks man, i don't know way but when i looked at your code this idea came to me so thanks!!!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.