Limiting access to files

I need to be able to limit access to certain directories. I can do this by chmod or using mod_rewrite, but I also need access to be granted if a user has a password.

These directories cannot be moved from one directory to another and must stay in the same place. The only thing that must change is whether they can be accessed publically or via logging in.

So for instance, the contents of http://example.com/stuff/ must not be accessible publically, but if I have a password they can. However, I, the owner of the website, must be able to change this on a whim - i.e. remove the restriction, or add it.

How do I go about doing this? I’d like to avoid server-stuff (htaccess things, chmod, etc) as much as possible.

If you have something like CPanel, you can set usernames and passowrds on directories through a simple interface (in CPanel: Security > Password Protect Directories).

Or you can do it manually as explained here, though it involves some of the stuff you didn’t want to touch.

I’ve used these two methods, but there may be better ways of doing this.

Can you elaborate as to what type of files you want to protect? In all honesty though, using an .htaccess to implement a user/pass combo will be less work than a PHP based solution.

I can’t use CPanel because it’s not my website. I’m just providing stuff to be installed on someone else’s server. Also, the users with access are not static and can change all the time.

The files are images, SWFs, FLVs, MP4s, PDFs and common MS Office files. They are for an institution where members are given a password to access this stuff. There are no usernames, just the passwords (this is what I’ve been told to do) so that people don’t need an “account”, just this password. None of the stuff is especially sensitive, they just don’t want some of these directories to be crawled by Google or accessed directly if one of the members posts a link to the file somewhere.

Modifying the .htaccess file with PHP would be easy enough to do. The problem is that I can’t use those modal user/pass things. It has to be web based (i.e. HTML forms).

Any ideas?

Ah, then maybe PHP is the way to go. :slight_smile:

Store all the media in a directory above webroot, then simply proxy the data through PHP. Simply create form, post it to a script to check the submitted password, if it matches start a session and store a value to indicated they are authorised.

You then create a script to send the file to the user if they have this session variable, if not, send 'em to the login form.

script.php?file=media/flv/grannydances.flv

For example.

This is also an easy thing to do with a CMS, where all the functionality is built in. The site owner can then just assign privileges via a web interface in their control panel. Is a CMS an option?

login.php


<?php
define('PASSWORD', 'Sup3r53cretP@ssw0rd');

function redirect($url){
  header("Location: $url");
  exit;
}

if(true == empty($_POST['password']) || PASSWORD !== $_POST['password']){
  redirect('http://www.example.org/login.html');
}

session_start();
$_SESSION['authorised'] = true;
session_write_close();
redirect('http://www.example.org/filelist.html');

I was thinking this might be the way to go, but I was concerned about uglifying the URLs. Ralph, the CMS is not an option - this is basically a mini-CMS (only a few specific functions).

But to stop someone copying the media/flv/grannydances.flv bit into the address bar and hitting enter, I’d still have to add htaccess rules restricting direct access to those directories, right?

I’m still a little confused. Suppose someone bangs http://example.com/media/meerkat.jpg into their browser. It’s in a directory that needs the password. Surely I still need .htaccess to redirect any requests for that directory and its contents to the PHP script that finds out if the user is logged in or not?

Heh.

So you’ll be implementing an .htpasswd then ? :slight_smile:

Yep, same thing really; just nicer urls.

I edited my previous post BTW.

Writing to .htaccess wouldn’t happen often so I think it’s an OK solution. Thanks for your help chaps!

EDIT:

Another thing… is the performance hit for routing every file request through a script anything to be concernet about?

Regarding access, the files are impossible to access via a browser because they exist outside of webroot. So they literally have no path to ‘figure out’ or browse to.

The PHP script applies the logic and serves the file.

Yes, performance can be an issue which is why I asked about the type of files being served. Just remember to use [fphp]readfile[/fphp] and you should be OK.

Why would you need to rewrite the .htaccess?

I didn’t really pick up on moving the files outside of the root, I stupidly thought you meant in a subdirectory.

Unfortunately the files will have to be located in a subdir of the webroot, so it looks like I have to use htaccess after all.

Sort of I suppose. But I can’t use the AuthUserFile stuff because it all has to be done via HTML forms…

I never thought something like this would involve such difficulty. It’s like what I want to achieve can be done in so many ways, but with one caveat in each case.

Why not use the PHP approach, but lock down the file directory with a simple .htaccess ?

Yeah, I think that’s what I’m going to do. Thanks for your patience! :slight_smile:

Great. No problem, just let me know if you get stuck; I’m PM ScallioXTX. :slight_smile:

mod_auth is what you need ( .htuser / .htpasswd )