Hey all, I'm looking for solutions/recommendations for protecting direct access to files from non-authenticated users.
I'm using a custom PHP/MySQL authentication where I have an include on every PHP page checking the users credentials (stored in a PHP session) and providing access. However, this isn't efficient for files such as images or videos that could be accessed directly by any user, effectively bypassing the PHP auth.
I've implemented an additional PHP script that serves our sensitive files from outside the web root, which works great, but I'm looking for a solution to protect these misc files inside the web root whether it be a PHP solution, mod_rewrite, Apache modules, etc.
Thanks in advance for your time!
Anything that you don't want to be accessible on the Internet or that you want to restrict access to, should be placed outside of your DocumentRoot on your account. That's the best way to work this.
With a PHP script, it can still access files that are outside your DocumentRoot. The PHP script would act as a kind of "middle-man" between the website visitor and the restricted file.