tags:

views:

132

answers:

3
+1  Q: 

Preventing access to files if a user types the full url on the address bar

Hi.

i have a website, some folders on the websites contains images and files like .pdf , .doc and .docx . the user can easly just type the address in the url to get the file or display the photo

http://site/folder1/img/pic1.jpg

then boom.. he can see the image or just download the file

my question is: how to prevent this kind of action, how can i guarantee a secure access of the files.

any suggestions

UPDATE TO CLARIFY MY IDEA

i don't want any user who is browsing the website to get access to these files normally by just writing the URL of the file. those files are a CV files, they are being uploaded by the users to a specific folder on the server which we host outside the company. those files are only being viewed by the HR people through a special system. that's the scenario we want. i don't want a WEB GEEK who just wants to see what files has been uploaded to this folder to download them easly to his/her computer and view them or publish them on the internet. i hope you got my idea

+1  A: 

You can check the HTTP Referrer header as a way of checking that the link came from your site. Note that the referrer can be faked, but if you're just looking for a simple way to catch most folks, this does work.

 2009-09-25 18:09:13
You can make it so that referrer needs to have a session token in the url, making it more difficult to fake.
Ben S  2009-09-25 18:12:15
i really didn't get your point. can you give me an example.when the user types the full path of the file " pdf or image " then the image will be displayed and the file will be downloaded directly, i don't think there are some kind of page that is going to be executed. am i wrong ?
bogha  2009-09-25 18:28:37
+2  A: 

To increase the security of your files you can put them in a directory outside the webroot, and then stream them to your webpages via a script. On top of this, the script that streams them has to be on an access controlled page. You can use .htaccess but I prefer a more flexible login system.

dnagirl  2009-09-25 18:25:01
i will keep this option as a secondary solution if there is no other option. thanks
bogha  2009-09-25 18:46:10
this is the only reasonably secure approach. To elaborate, you could have a PHP script or something similar that opens the file and writes its content out to the web request, thus never exposing the actual file to the web. The script and/or web server would be responsible for checking the user's credentials.
rmeador  2009-09-25 18:47:10
+1  A: 

You can store the files being uploaded into a directory outside your web application, so that it is not directly accessible via a URL; this will ensure that the web server will not serve these files via a requested URL.

When you have to serve these files, ensure that the user who has requested for the file does have access to it. In other words, check if the user is authorized to view the files - you might want to authorize the original user who uploaded the file and the HR users to have acccess to the file.

Since the web server does not have direct access to the files, preventing it from serving them, you will have to write a server-side script in a language of your choice (PHP/ASP/JSP etc. since you didn't indicate any) that will upon post authorization checks, retrieve the file and serve its contents to the user.

Vineet Reynolds  2009-09-25 19:10:34

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?