PHP5 - Prevent access to files using URL

Hello, I am new to the forum and have been tasked with adding functionality to an existing dynamic web page. Limited php coding experience.

I have been successful in creating a link, for logged in users to an xml/xsl file:



however, if a user copies the url, he/she may paste it in the browser at any time and access the file.

is there a way to display the file in the browser, without giving up the path?

Kindest regards,

What is your objective in preventing the user from copy/pasting the URL? That will determine how to solve the problem.

The file is of sensitive info. My objective is to make sure that no one can see the file unless they are logged in.

Each user will have his own file, in his own directory. But a tricky user could change the url to see another users information.

The user can download, email the file...whatever. I just need the file to only be available from our server if a user is logged in and clicks on the link.

PD - I really appreciate your quick response!

That is not a PHP function. Files that require authentication are protected by your settings in your HTTPD configuration. Are you using Apache or is this Windows?

apache

Then you need to do a few things.

1) Implement SSL
2) Use mod_rewrite to force https
3) Set up authentication in Apache to restrict access to those files.

3) Set up authentication in Apache to restrict access to those files. - by using htaccess? i have, but cannot figure out how to automate the login.

my plan is to use a generic login account for all sub-directories and files. but have failed miserably! i cannot submit the usr/pwd using plain text.

Is there a way to embed the usr/pwd for this directory in the script without exposing it?

Sort of. While .htaccess is a solution, it is my understanding that it is depreciated and everything you want to do should be handled in your Apache configuration files. This thread is really beyond the scope of this forum. You don't have to worry about username and password exposure. That is all handled by Apache depending on your authentication method and there are several. You can start here.

Thanks a lot, really appreciate the manual.

I have configured the user/password for the directory successfully. But i want to use only one user account, and include it in the script that calls the file.

Has that been done?

You want all users to access it with the same account? That won't work because every user will have access to every protected file. The restriction is based on user name.

Not sure what you mean by "include it in the script that accesses the file". If you've implemented authentication correctly, your script does not have to worry about it. Apache will prevent unauthorized access as well as prompt for the login.

I'm not too sure your directory structures, but is this file in a directory accessibly via the internet? From the way your intent sounds, I would just keep these files in a location NOT accessible via the internet, so your php must locally fetch the file's content using your logged in user's credentials and offer it back to the user.

It is my understanding there are multiple files and multiple users. Much more secure and less prone to holes to use built-in authentication and let Apache worry about it.

So a more PHP centric solution could be something like this:

1. User logs in, at login their authentication status is saved into their session
2. Instead of generating a link to specific file, you point it to a php file that checks if the user is logged in, then it reads and outputs the xml to the browser if they are logged in.

e.g.