Richard Lloyd
asked on
URL File /Folder Security
I have a web-based file manager system that allows users to log on and browse folders and files via a php script.
I use the google doc viewer to display the files.
My problem is that if anyone works out the URL of the file, then they could bypass the file manager system and just access the file in any browser.
Please can someone advise the best way to secure access to the files with IIS from direct URL browser access, but allow the PHP script, and the google doc viewer, to access it.
I use the google doc viewer to display the files.
My problem is that if anyone works out the URL of the file, then they could bypass the file manager system and just access the file in any browser.
Please can someone advise the best way to secure access to the files with IIS from direct URL browser access, but allow the PHP script, and the google doc viewer, to access it.
ASKER
Thank you. I'll take a look.
Hi,
Don't forget to prevent browsing directory
This is for Apache Htaccess but you can do it into IIS
https://docs.microsoft.com/en-us/iis/extensions/url-rewrite-module/creating-rewrite-rules-for-the-url-rewrite-module
You can also host your files on Idrive and use their API.
Idrive have encoding system and this allow you to have more space for your files.
https://www.idrivesync.com/evs/
https://github.com/evsapi/IDrive-Encrypted-File-System--EVS--REST-API-PHP-Library/blob/master/iDrive.php
Dropbox and other providers may have API too.
Don't forget to prevent browsing directory
<IfModule mod_rewrite.c>
<IfModule mod_negotiation.c>
Options -MultiViews -Indexes
</IfModule>
</IfModule>
This is for Apache Htaccess but you can do it into IIS
https://docs.microsoft.com/en-us/iis/extensions/url-rewrite-module/creating-rewrite-rules-for-the-url-rewrite-module
You can also host your files on Idrive and use their API.
Idrive have encoding system and this allow you to have more space for your files.
https://www.idrivesync.com/evs/
https://github.com/evsapi/IDrive-Encrypted-File-System--EVS--REST-API-PHP-Library/blob/master/iDrive.php
Dropbox and other providers may have API too.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
For example, with WordPress even if you know a file URL, you must be logged into access the file, if the file/directory is marked as protected.
If you've written custom code, then you'll have to build your own session management system.
Take a look at how WordPress session management works, then either use something similar or search for some other session management system.
I'd start with this search - site:github.com php site session management system - which produces 200K+ results.
Likely https://github.com/OWASP/C