URL File /Folder Security

Richard Lloyd
Richard Lloyd used Ask the Experts™
on
I have a web-based file manager system that allows users to log on and browse folders and files via a php script.

I use the google doc viewer to display the files.

My problem is that if anyone works out the URL of the file, then they could bypass the file manager system and just access the file in any browser.

Please can someone advise the best way to secure access to the files with IIS from direct URL browser access, but allow the PHP script, and the google doc viewer, to access it.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
David FavorFractional CTO
Distinguished Expert 2018

Commented:
The common way to do this is to password protect all files.

For example, with WordPress even if you know a file URL, you must be logged into access the file, if the file/directory is marked as protected.

If you've written custom code, then you'll have to build your own session management system.

Take a look at how WordPress session management works, then either use something similar or search for some other session management system.

I'd start with this search - site:github.com php site session management system - which produces 200K+ results.

Likely https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Session_Management_Cheat_Sheet.md will be a useful starting point.

Author

Commented:
Thank you. I'll take a look.
Hi,

Don't forget to prevent browsing directory

<IfModule mod_rewrite.c>
    <IfModule mod_negotiation.c>
        Options -MultiViews -Indexes 
    </IfModule>
</IfModule>

Open in new window


This is for Apache Htaccess but you can do it into IIS
https://docs.microsoft.com/en-us/iis/extensions/url-rewrite-module/creating-rewrite-rules-for-the-url-rewrite-module

You can also host your files on Idrive and use their API.
Idrive have encoding system and this allow you to have more space for your files.
https://www.idrivesync.com/evs/
https://github.com/evsapi/IDrive-Encrypted-File-System--EVS--REST-API-PHP-Library/blob/master/iDrive.php

Dropbox and other providers may have API too.
I am going to use cloudflare and their URL authentication method.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial