I need to be able to limit access to certain directories. I can do this by chmod or using mod_rewrite, but I also need access to be granted if a user has a password.
These directories cannot be moved from one directory to another and must stay in the same place. The only thing that must change is whether they can be accessed publically or via logging in.
So for instance, the contents of http://example.com/stuff/ must not be accessible publically, but if I have a password they can. However, I, the owner of the website, must be able to change this on a whim - i.e. remove the restriction, or add it.
How do I go about doing this? I’d like to avoid server-stuff (htaccess things, chmod, etc) as much as possible.
If you have something like CPanel, you can set usernames and passowrds on directories through a simple interface (in CPanel: Security > Password Protect Directories).
Or you can do it manually as explained here, though it involves some of the stuff you didn’t want to touch.
I’ve used these two methods, but there may be better ways of doing this.
Can you elaborate as to what type of files you want to protect? In all honesty though, using an .htaccess to implement a user/pass combo will be less work than a PHP based solution.
I can’t use CPanel because it’s not my website. I’m just providing stuff to be installed on someone else’s server. Also, the users with access are not static and can change all the time.
The files are images, SWFs, FLVs, MP4s, PDFs and common MS Office files. They are for an institution where members are given a password to access this stuff. There are no usernames, just the passwords (this is what I’ve been told to do) so that people don’t need an “account”, just this password. None of the stuff is especially sensitive, they just don’t want some of these directories to be crawled by Google or accessed directly if one of the members posts a link to the file somewhere.
Modifying the .htaccess file with PHP would be easy enough to do. The problem is that I can’t use those modal user/pass things. It has to be web based (i.e. HTML forms).
Store all the media in a directory above webroot, then simply proxy the data through PHP. Simply create form, post it to a script to check the submitted password, if it matches start a session and store a value to indicated they are authorised.
You then create a script to send the file to the user if they have this session variable, if not, send 'em to the login form.
This is also an easy thing to do with a CMS, where all the functionality is built in. The site owner can then just assign privileges via a web interface in their control panel. Is a CMS an option?
I was thinking this might be the way to go, but I was concerned about uglifying the URLs. Ralph, the CMS is not an option - this is basically a mini-CMS (only a few specific functions).
But to stop someone copying the media/flv/grannydances.flv bit into the address bar and hitting enter, I’d still have to add htaccess rules restricting direct access to those directories, right?
I’m still a little confused. Suppose someone bangs http://example.com/media/meerkat.jpg into their browser. It’s in a directory that needs the password. Surely I still need .htaccess to redirect any requests for that directory and its contents to the PHP script that finds out if the user is logged in or not?
Regarding access, the files are impossible to access via a browser because they exist outside of webroot. So they literally have no path to ‘figure out’ or browse to.
The PHP script applies the logic and serves the file.
Yes, performance can be an issue which is why I asked about the type of files being served. Just remember to use [fphp]readfile[/fphp] and you should be OK.
Sort of I suppose. But I can’t use the AuthUserFile stuff because it all has to be done via HTML forms…
I never thought something like this would involve such difficulty. It’s like what I want to achieve can be done in so many ways, but with one caveat in each case.