What are the best security measures to take for making certain directories private?

Question

I have a directory on my server that I do not want Search Engines to crawl and I already set this rule in robots.txt

I do want people that have logged in to be able to have access to this directory without having to enter a password or anything.

I am thinking that a cookie is the best thing to put on users computers after they login, and if they have a cookie, they can access the directory. Is this possible, or is there a better way?

I want people without this cookie to not have access to this directory - access for members only

Any suggestions on the best design for this?

Answer 1

The answer depends on the webserver used and, if any, also the server side language. Judging your question history, I'll bet that it's Apache HTTPD.

If that is true, then you can just put an .htaccess file in the folder in question to control the access by HTTP basic authentication. If you want more flexibility, you'll need to control it in the server side language in question. Basically you just need to store the logged-in user in the session and check on every request if the user is there and if it is allowed to do the request.

That said, since you tagged Javascript as well, it might be good to know that JS is a client side language and thus can be fully controlled/disabled/spoofed/hacked by the client. Forget about it when talking about security. JS is generally only good for progressive enhancement of the webpage.