Solved

How can I prevent non-logged in users from accessing PDFs/DOCs/Etc.

Posted on 2014-01-09
5
304 Views
Last Modified: 2014-02-20
I inherited various web clients from another developer many years ago.  One client site, that's probably over 8 years old, has some serious security issues.  Recently, a PDF that they thought was only accessible through the client's login, showed up on a Google search, and opened just fine. Since they assumed these could only be accessed when their client's logged in, they're understandably freaking out.

I plan to add SSL so that, at the very least, their login codes are encrypted, I've also added a robot.txt file so they won't index them anymore; however, what is the best way to prevent anyone from entering www.domain.com/pdf/filename.pdf into the browser to view these documents?

The host told me that I'd have to secure that directory with a password, meaning they'd have to log into their account, then add another username/password to open any of these files.  I can't believe this is the answer.  So, I'm coming to you brilliant folks.

Any ideas for how to assure this client that their private documents are private?  Let me know.  Thanks.
0
Comment
Question by:StellaBob
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 58

Accepted Solution

by:
Gary earned 500 total points
ID: 39769738
The best security is to have the file outside the root of your site so they are not directly accessible at all
Then when someone needs to access them you can stream the file to them (of course checking they are logged in).
While the file is not publicly accessible it doesn't prevent your server side code accessing it.
Usually your user permissions would extend to one folder above your root, this would normally store other things like webstats etc.
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 39770300
There is no easy answer to your question.  Gary's response is a good one but it requires you to rewrite the code that accesses the files.  It also assumes that you have access above your web root directory which is not true on most shared hosting.
0
 
LVL 58

Expert Comment

by:Gary
ID: 39771211
@Dave
Most shared hosting will give you FTP to a parent folder above your root as this is where your stats etc will be stored - well it has always been the case for me when I have used shared hosting in the past.
0
 

Author Comment

by:StellaBob
ID: 39771486
This particular host does allow access to the parent folder above the root.  Let me see what I can do there and I'll let you know.  Thanks.
0
 

Author Closing Comment

by:StellaBob
ID: 39873894
While I haven't figured out how to code this, I believe this answer would be the best option for me.  Thanks.
0

Featured Post

Get Database Help Now w/ Support & Database Audit

Keeping your database environment tuned, optimized and high-performance is key to achieving business goals. If your database goes down, so does your business. Percona experts have a long history of helping enterprises ensure their databases are running smoothly.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
There is a lot to be said for protecting yourself and your accounts with 2 factor authentication.  I found to my own chagrin, that there is a big downside as well.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

631 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question