tags:

views:

142

answers:

5
+2  Q: 

Forbid access to files in a simple PHP login system

Hi guys!

I wrote this VERY simple PHP login system:

<?php
    session_start();
    $error = '';

    if (isset($_POST['username']) && isset($_POST['password']))
    {
        if ($_POST['username'] == 'user' && $_POST['password'] == 'pass')
        {
            $_SESSION['client'] = 'ok';
            Header ("location: /kit/kit/index.php");
        }
        else
        {
            $error = 'Usuario o contrase&ntilde;a incorrectos.';
        }
    }

?>

Don´t worry about the vulnerability issues, it´s not protecting anything valuable.

In every .php page i add:

<?php
    session_start();

    if (!isset($_SESSION['client']) || $_SESSION['client'] != 'ok')
    {
        Header ("location: /kit/index.php");
        die();
    }

?>

This protects the .php sessions just fine.

The problem is that this doesn´t protect the files.

I mean if go directly to:

something/other/file.zip

it will download it wether you have loged in or not.

I notice this must be a complete newbie question but, WTH, you have to start somewhere...

I hope the question is clear enough.

If not, please ask!

Thanks in advance!! cheers!

Juan

A: 

You need .htaccess to deny access to the folder.

luckytaxi  2010-10-02 01:26:39
Ok, but what should i write on it? Where can i read about this topic in particular. Thanks!!
Trufa  2010-10-02 01:31:18
ok check my post and i wrote there how to create it.
Pavan  2010-10-02 01:36:33
A: 

Store all files you don't want downloaded outside the DocumentRoot.

stillstanding  2010-10-02 01:32:02
You mean before the public_html folder? how do i link to the then? Thanks!
Trufa  2010-10-02 01:33:26
ive explained this in my post as well if you want to know how to link them
Pavan  2010-10-02 01:36:48
You need a download script similar to what's described here: http://www.finalwebsites.com/forums/topic/php-file-download
stillstanding  2010-10-02 01:43:36
+1  A: 

To stop a user from seeing the directory, all you need to do is create an index page in that folder. Ex: index.htm, index.html, default.htm, default.html.

To stop a user from entering the folder (e.g. stop anyone from viewing http://www.yoursite.com/myFolder/), you may need to access some features of your web host. Some hosts allow you to password protect files or folders. You can also create an .htaccess file/folder

An htaccess file is a simple ASCII file, such as you would create through a text editor like NotePad or SimpleText. Many people seem to have some confusion over the naming convention for the file, so let me get that out of the way.

.htaccess is the file extension. It is not file.htaccess or somepage.htaccess, it is simply named .htaccess

Create the file

In order to create the file, open up a text editor and save an empty page as .htaccess (or type in one character, as some editors will not let you save an empty page). Chances are that your editor will append its default file extension to the name (ex: for Notepad it would call the file .htaccess.txt). You need to remove the .txt (or other) file extension in order to get yourself htaccessing--yes, I know that isn't a word, but it sounds keen, don't it? You can do this by right clicking on the file and renaming it by removing anything that doesn't say .htaccess. You can also rename it via telnet or your ftp program, and you should be familiar enough with one of those so as not to need explaining.

htaccess files must be uploaded as ASCII mode, not BINARY. This makes the file usable by the server, but prevents it from being read by a browser, which can seriously compromise your security. (For example, if you have password protected directories, if a browser can read the htaccess file, then they can get the location of the authentication file and then reverse engineer the list to get full access to any portion that you previously had protected. There are different ways to prevent this, one being to place all your authentication files above the root directory so that they are not www accessible, and the other is through an htaccess series of commands that prevents itself from being accessed by a browser, more on that later)

JUST INCASE stop users from downloading your file

store all things that are downloadable ourside your document root. which means before the public_html file.

EDIT: updated the section below to show graphical representation of folder structure

how do you access them then?

work
    downloadableFiles
        downloadables
        -    memberOnlyFile.zip
        -    welcomePackage.zip
        -    memberhshipVideoVideo.mov    
        photos
        -    photo1.jpeg
        -    photo2.jpeg
    publi    c_html
    -   index.htm
        About
        -    about.html             
        -    about.gif
        LogIn
        -    login.htm
        -    loginScreen.htm
        -    loginFancyButton.gif

Now anything in the public_html folder the world can see through your website.

Anything outside your public_html folder, will not be visible directly to the world through your website by typing the file name into the address bar in their browser. so thats a good thing as we are going to save all our files that we dont want to give access to outside of the public_html folder.

Now say if you want a certain user to be able to download a file, say maybe a logged in user, you can still make the file downloadable by having a link to that file.

If we are at the login Page, to access the loginScreen webpage you just write down the hyperlink like so:

<a href="loginScreen.htm">login screen</a>

since that page is on the same folder. now if you want to allow a user to be able to download a file from the downloadable files folder which is outside the public_html folder since it is not in that folder it self youjust reference to it like so:

How would we get to that folder if we are in the login folder as we are viewing the loginScreen.htm page, you go one folder back so we end up being in the public_html folder. then we go another folder back so we are in the work folder.

so it would look like this so far.

../../ which means two folders back.

then to access the memberonlypath.zip we then need to go into the downloadableFiles folder then we need to get into the downloadable files and then we can link it to the file membersOnlyFile.zip which is the file we were lookng for before.

so the full link now becomes

<a href="../../downloadableFiles/downloadable/membersOnlyFile.zip">download file</a>

This way the user cannot access the file by simply typing it on the address bar but can download it if you reference it yourself like the above.

Hope this helps

PK

Pavan  2010-10-02 01:32:39
Yeah, the index.php i got it right... the thing is that everybody is talking about the .htaccess and i know it exists and I know where it is but i dont know what to do with it! Thank you!!
Trufa  2010-10-02 01:36:32
you just leave it in the folder.
Pavan  2010-10-02 01:41:20
ive also changed my post so you know exactly how to link the downloadable files. This is a brilliant way to do this. this way no one can go on yourside and start typing in www.yoursite.com/downloadeMemebershipFile.zip
Pavan  2010-10-02 01:42:43
First, thanks for the help man! I don´t know how to explain it but i cant get my head around something. I noticed that if i put a blank .htaccess file it ask me for user and pass, where do i set them?? secon i already hace a .html login page, "how can i use the .htaccess file with this html login" does this make any sense at all? thanks agin. Sorry :)
Trufa  2010-10-02 01:47:58
-1. "htaccess files must be uploaded as ASCII mode ... This ... prevents it from being read by a browser". Er, no it doesn't.
tc.  2010-10-02 01:49:13
Ok just a second! i think i got it!
Trufa  2010-10-02 01:50:34
@tc Have a look at this. http://www.javascriptkit.com/howto/htaccess.shtml
Pavan  2010-10-02 01:50:37
Thats good to hear. let me know when you do have it trufa
Pavan  2010-10-02 01:51:13
@Pavan I think i´m almost there but i cant really get how to link (literally) to files before the public_html, no matter how much ../ i put it doesnt seem to go further up than the document root...
Trufa  2010-10-02 02:06:03
what do you mean by it doesnt go further up than the document root?
Pavan  2010-10-02 02:07:38
Mmm, not sure how to say it... I mean acces it with a link, link to it. I alway end up linking to something inside the document root no matter how many ../ i put
Trufa  2010-10-02 02:09:49
dont worry ive rewritten my post at the end on how to access the files. Ive shown you how you can access them with a link. This is exactly how you do it. theres no mistakes in there. :D check it out
Pavan  2010-10-02 02:30:55
@Pavan havent figured it out yet but I´m sure there is enough there for me to solve it. Its friday night and I have to honor it :) I will continue with the problem tomorrow with a fresh view and a hangover! Really, thank you very much for all the trouble im truly grateful!!
Trufa  2010-10-02 02:57:54
i read this message on the day but i was knackered n thought id comment the day after (now):no problem. if you need any more help do let me know
Pavan  2010-10-03 18:17:58
A: 

Just have a php download script like: this one that will get the file below the public_html folder.

Scott  2010-10-02 01:37:59
Thanks, im getting to this with Pavan!
Trufa  2010-10-02 02:12:42
This seems interesting, im trying it out!
Trufa  2010-10-02 02:25:00
A: 

"Static" files are served by the webserver, not PHP, so authentication is handled differently. There are two easy ways around this:

  • Handle all authentication in the webserver, e.g. with HTTP basic/digest authentication. Apache 2.2 has a helpful introduction.
  • Serve the files with PHP, e.g. with foo.php/path/to/file if you have "pathinfo" enabled (according to the PHP docs you set AcceptPathInfo=ON in the server config somewhere) or foo.php?path=path/to/file, which is pretty terrible, but oh well.

There is a more enterprisey solution:

  • Write an authentication module for your download server which understands authentication cookies from the other site. Many big sites do this (adcdownload.apple.com comes to mind), partly so they can stick the downloads on a CDN but still have some sort of access control.

There is a lazy workaround:

  • Stick everything in an "unguessable" directory name (e.g. some random base64 chars). Make sure you can't list the parent directory (the easiest way is to create an empty "index.html" file).
tc.  2010-10-02 01:47:33
I will try some of this as soon as i can undestand what Pavan is trying to explain to me. Thanks!!
Trufa  2010-10-02 02:15:01

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases