#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Posts
    5
    Rep Power
    0

    Prevent access to files using URL


    Hello, I am new to the forum and have been tasked with adding functionality to an existing dynamic web page. Limited php coding experience.

    I have been successful in creating a link, for logged in users to an xml/xsl file:

    PHP Code:
    <?php
    echo "../patientfiles/".$_SESSION['Login']."/ccd".$_SESSION['Login'].".xml";
    ?>
    however, if a user copies the url, he/she may paste it in the browser at any time and access the file.

    is there a way to display the file in the browser, without giving up the path?

    Kindest regards,
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2003
    Posts
    3,601
    Rep Power
    595
    What is your objective in preventing the user from copy/pasting the URL? That will determine how to solve the problem.
    There are 10 kinds of people in the world. Those that understand binary and those that don't.
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Posts
    5
    Rep Power
    0
    Originally Posted by gw1500se
    What is your objective in preventing the user from copy/pasting the URL? That will determine how to solve the problem.
    The file is of sensitive info. My objective is to make sure that no one can see the file unless they are logged in.

    Each user will have his own file, in his own directory. But a tricky user could change the url to see another users information.

    The user can download, email the file...whatever. I just need the file to only be available from our server if a user is logged in and clicks on the link.

    PD - I really appreciate your quick response!
    Last edited by jrfiol; November 20th, 2012 at 01:12 PM. Reason: adding info
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2003
    Posts
    3,601
    Rep Power
    595
    That is not a PHP function. Files that require authentication are protected by your settings in your HTTPD configuration. Are you using Apache or is this Windows?
    There are 10 kinds of people in the world. Those that understand binary and those that don't.
  8. #5
  9. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Posts
    5
    Rep Power
    0
    Originally Posted by gw1500se
    That is not a PHP function. Files that require authentication are protected by your settings in your HTTPD configuration. Are you using Apache or is this Windows?
    apache
  10. #6
  11. No Profile Picture
    Contributing User
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2003
    Posts
    3,601
    Rep Power
    595
    Then you need to do a few things.

    1) Implement SSL
    2) Use mod_rewrite to force https
    3) Set up authentication in Apache to restrict access to those files.
    There are 10 kinds of people in the world. Those that understand binary and those that don't.
  12. #7
  13. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Posts
    5
    Rep Power
    0
    Originally Posted by gw1500se
    Then you need to do a few things.

    1) Implement SSL
    2) Use mod_rewrite to force https
    3) Set up authentication in Apache to restrict access to those files.
    3) Set up authentication in Apache to restrict access to those files. - by using htaccess? i have, but cannot figure out how to automate the login.

    my plan is to use a generic login account for all sub-directories and files. but have failed miserably! i cannot submit the usr/pwd using plain text.

    Is there a way to embed the usr/pwd for this directory in the script without exposing it?
  14. #8
  15. No Profile Picture
    Contributing User
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2003
    Posts
    3,601
    Rep Power
    595
    Sort of. While .htaccess is a solution, it is my understanding that it is depreciated and everything you want to do should be handled in your Apache configuration files. This thread is really beyond the scope of this forum. You don't have to worry about username and password exposure. That is all handled by Apache depending on your authentication method and there are several. You can start here.
    There are 10 kinds of people in the world. Those that understand binary and those that don't.
  16. #9
  17. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Posts
    5
    Rep Power
    0
    Originally Posted by gw1500se
    Sort of. While .htaccess is a solution, it is my understanding that it is depreciated and everything you want to do should be handled in your Apache configuration files. This thread is really beyond the scope of this forum. You don't have to worry about username and password exposure. That is all handled by Apache depending on your authentication method and there are several. You can start .
    Thanks a lot, really appreciate the manual.

    I have configured the user/password for the directory successfully. But i want to use only one user account, and include it in the script that calls the file.

    Has that been done?
  18. #10
  19. No Profile Picture
    Contributing User
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2003
    Posts
    3,601
    Rep Power
    595
    You want all users to access it with the same account? That won't work because every user will have access to every protected file. The restriction is based on user name.

    Not sure what you mean by "include it in the script that accesses the file". If you've implemented authentication correctly, your script does not have to worry about it. Apache will prevent unauthorized access as well as prompt for the login.
    Last edited by gw1500se; November 20th, 2012 at 03:08 PM.
    There are 10 kinds of people in the world. Those that understand binary and those that don't.
  20. #11
  21. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Jun 2009
    Posts
    721
    Rep Power
    7
    I'm not too sure your directory structures, but is this file in a directory accessibly via the internet? From the way your intent sounds, I would just keep these files in a location NOT accessible via the internet, so your php must locally fetch the file's content using your logged in user's credentials and offer it back to the user.
  22. #12
  23. No Profile Picture
    Contributing User
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2003
    Posts
    3,601
    Rep Power
    595
    It is my understanding there are multiple files and multiple users. Much more secure and less prone to holes to use built-in authentication and let Apache worry about it.
    There are 10 kinds of people in the world. Those that understand binary and those that don't.
  24. #13
  25. Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Sep 2002
    Location
    Seattle, U.S.A.
    Posts
    712
    Rep Power
    13
    Originally Posted by jrfiol
    Hello, I am new to the forum and have been tasked with adding functionality to an existing dynamic web page. Limited php coding experience.

    I have been successful in creating a link, for logged in users to an xml/xsl file:

    PHP Code:
    <?php
    echo "../patientfiles/".$_SESSION['Login']."/ccd".$_SESSION['Login'].".xml";
    ?>
    however, if a user copies the url, he/she may paste it in the browser at any time and access the file.

    is there a way to display the file in the browser, without giving up the path?

    Kindest regards,
    So a more PHP centric solution could be something like this:

    1. User logs in, at login their authentication status is saved into their session
    2. Instead of generating a link to specific file, you point it to a php file that checks if the user is logged in, then it reads and outputs the xml to the browser if they are logged in.

    e.g.

    PHP Code:
    <?php 

    session_start
    ();

    if( 
    $_SESSION['youruserisauthenticaed'] === true ) {
        
    /// read in xml file and output it to browser
    }
    else {
        
    /// notify user is not authenticated and provide them a link to login
    }

IMN logo majestic logo threadwatch logo seochat tools logo