tags:

views:

252

answers:

2
Q: 

How to password protect a directory but still give users access

I am creating a PHP script for my website that would allow my clients to login to their client account and view a list of files I've uploaded for them. Then they can download them without having to relogin or re enter a password.

I want to keep it secure so anyone cant come in and download the files if they know the clients name.

I've tried .htacccess, protecting the folders, etc.. but it doesnt seem to work. I've written the client login script thatl ets them login and view a list of files in their directory but I can't have them right click to download it without having them login.

Something similar can be seen here: http://forums.cgsociety.org/showthread.php?f=76&t=808482

In the 2nd post, if you try to click delete.jpg it won't let you download it without logging in. I want this similar feature for my site.

The site is created in PHP, with a MySQL database.

A: 

You could use cookies to signify that the user has been there before, and been authenticated. Make the value of the cookie be fairly random, so it can't be guessed. I would encrypt the username . timestamp and store that with the username, so username_token and that way you can time people out and force them to login, if you want, later.

Then, move the files out of the webapp directory, and have a cgi program that will show the files in the directory, and allow them to download them.

This way you can control what people see, and what actions are allowed.

James Black  2009-09-23 01:24:24
+1  A: 

The folder itself should have security permissions set that regular users do not have access to it, only whatever user runs the PHP process.

Your PHP scripts act as a passthrough for the actual file system. The users don't have permissions to see a list of files, but your scripts do. The users don't have permissions to access a file, but your scripts do so you can open them as binary files and write the data out to be sent to the user.

Do some research into PHP File Downloaders, this is fairly standard behaviour.

Rob Drimmie  2009-09-23 02:01:16

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL