chasejbarnes — 2013-08-01T14:10:04-04:00 — #1
I have a possibly silly web security issue I cant figure out.
Im serving sensitive files to individuals in a program database. I want the users to be able to click links to view these files in their own secure member areas. However, since these are all in the same documents folder anybody can just view the folder root and see everybodys files.
Theres too many users to create folders and htaccess's for all, unless im dumb and there is a way.
Am i missing the obvious solution or does anybody have a good way to do this. Just want users to be able to view personal documents but keep the folder itself hidden.
Any help is awesome, Thanks!
cheesedude — 2013-08-01T15:29:46-04:00 — #2
Place the files in a folder above your public root folder and control access through PHP or whatever script you are using or deny access to a file directory below your public folder and use PHP to read the file from there (less secure). Or, you can store the files as binary data in a database and control access that way.
I do not have much knowledge in that area and, in fact, I am hopeful others will chime in about file access control so I can learn a thing or two. Such as: if you control file access through PHP with the files stored above public_html, which PHP function(s) do you use to transmit the file to the browser, which headers should you use, and once the file transmission has begun, does the PHP script end with no max_execution_time issues with the server taking over? I am basically looking for how one would protect files for a membership site.
So if anyone has any information to share or links to info, I would be glad to see it because this is one gap I would like to fill.
mittineague — 2013-08-01T16:02:27-04:00 — #3
If you're talking about someone going to
and getting Apache's default list of it's file contents, you can put this in that folder's (or higher up if you prefer this for all folders) htaccess file.
However - depending on how sensitive this info is, shouldn't you be using HTTPS?
If not, it sounds like cheesedude's answer is the way to go.