Protect uploaded files from non members

[Jas]

Once a file is uploaded to my server, I need to make it so that no one can view it unless they are logged in via PHP's SESSION function. I am open to any and all suggestions as to accomplishing this. Some things I was thinking about:

1. Using a scrpt (if there is a way; I am leaning away from .htaccess for this)
2. Splitting the file and storing it as halves, then putting it together for output (if possible)
3. encrypting the file and storing it, then unencrypting and outputing

Any other ideas or information on one of those? The bottom line is that I want to prevent nonmembers from accessing content without bugging the users. It would also be nice if it processes quickly and the work is minimal.

EDIT: One more point to ponder: different users will be able to view different things. (i.e. Joe Somebody can view video.MPEG, but not video2.MPEG)

[BLiZZaRD]

One easy way is to sett session variables.

after the member logs in they are taken to a new page I assume, one that non members don't see. in the top of this page put:

PHP Code:

session_start();
$_SESSION['allowed'] = yes; 


Then on the download page put this at the top:

PHP Code:

session_start();
if ($_SESSION['allowed'] != "yes") die('Inavlid download attempt'); 


As for your edot: request, you should use .htaccess. You can protect individual files this way and .htaccess is the most secure methd of protection right now (IMO).

For more Ideas see this page

[Jas]

Thank you! I haven't had time to really read it-- i've just skimmed it-- but it looks like it's what I need. If nothing else, it'll help. Thanks!

[Jas]

EDIT: Okay, so my question now is, will this work:

Code:

Order allow,Deny
deny from all
allow from 127.0.0.1

I have an PHP script that will force the download, but will this allow only that script to access the files in question? (It will probably have to be changes to the hosting IP when the server goes online, right?) It appears to work, but I don't know if this is a good solution. What do you all think?

[thetestingsite]

You could probably use htaccess to prevent viewing of files in a directory, if that's an option for you.

Hope this helps.

[Jas]

You could probably use htaccess to prevent viewing of files in a directory, if that's an option for you.

Hope this helps.

Thanks thetestingsite

I've already done Options -index if that's what you mean. It's a great trick, but I am looking to away to prevent people form getting to the file with an absolute URL-- whether a link or typed.

[BLiZZaRD]

okay two different things here. php scripting and .htaccess are not the same thing. Your order Deny function is an .htaccess module. It goes in a file named .htaccess somewhere usually at the /root of your server.

php scripting will go on the pages. .htaccess is the most secure method of securing files, and it will work like this:

The best way to secure content on your website is to use .htaccess/.htpasswd protection. This will password protect any directory and all directories below. You will need to create a .htaccess file which you put in the directory you want to protect. You will also need to create a .htpasswd file which you will put out of reach (see tip on Securing Your Package). The .htaccess file should contain the following:

AuthUserFile /full_unix_path_to_your_file/.htpasswd
AuthName "Any Name You Want"
AuthType Basic
require user username

Where username is the name of the user specified in the .htpasswd file.
You can also make that last line
require valid-user
to accept any user specified in the .htpasswd file.

You can also limit the password protection. For example put the .htaccess code inside these tags
<files file.ext>
htaccess protection code goes here
</files>
to limit the password protection to just the file "file.ext".

The .htpasswd file should genrally be put at your ftp root (above the public directory). It is in the form:

user:encrypted password

The best way to create these files is using notepad (for example create htaccess.txt in notepad), then upload, then rename on the server (.htaccess).

[Jas]

Sorry! I meant that I was using PHP AND .htaccess. I was wondering if this .htaccess would work with a DLing PHP script that I already have.

The PHP script uses headers to "force" a DL box to popup for the user. I set up .htaccess to block all files EXCEPT to the IP address of the server. That way, no on can access the files directly, only PHP can get to them. Will that work, or am I on the wrong track?

[djr33]

Well, .htaccess shouldn't be involved in the server, I don't think. (Honestly, I didn't read the posts before this, so I might just be operating on bad guesses.)

The way you could set that is easy--
Disallow everyone access to a folder.
Place the files in that folder.
Use PHP to retrieve the files; PHP won't be stopped as it's on the same machine; local access; ie, you won't need to allow the server's IP, etc. (Some permissions should be set on the files, though, so PHP can read them, I think.)

[Jas]

I am a little confused by your answer. You seem to be contradicting yourself in that post, or else I am just REALLY lost. Could you a explain a little better djr33?