|User created Password Protected Directories|
Registering a user name and password via PHP creates a private directory
Okay any ideas on how do I do this?
A user goes to a page on the site:
1. The page prompts the user to create a user ID/Password.
2. A folder is created for the user, which is protected by their user ID/Password.
3. The user is then allowed to upload/download files to the folder (and no other).
4. When they return to the site, they log in and are immediately taken to their folder.
Any pointers, code etc. would be greatly appreciated and reciprocated!
Welcome to WebmasterWorld, quixotic.
I can talk it out in pseudocode a bit if that is what you are looking for ...
- Create a form that prompts the user for their user ID/Password; if they don't have one, give them an option to register/setup.
- Upon successful setup create a folder on the backend for this user and store the user's *home* folder path/name in the database along with their other information, userid, password, email, home folder, etc.
- Setup a script which allows the user to upload/download files to their folder only. Basically, after they login they can go to your page that allows for file uploads and upon a successful file upload you move the uploaded file to the directory on record for the currently authenticated user.
- By default when a user performs an initial login they are immediately taken to their folder. You can do this by checking the database for their *home* folder.
Thank you very much Coopster. This definitely helps, I think I only need one more piece of the puzzle.
2. is the most difficult for me:
I can use mkdir to create the folder for the user, but I can't figure out how to lock read/write/execute priveledges to just the user.
would create the user's folder, and while the permissions are locked to the "owner", the "owner" is the webserver, not the person currently logged in when the script is called.
okay i think i might have answered my own question... I'm new to the world of security, but if i do this:
only the webserver has access to user. But it doesn't matter since I should be able to make a PHP page that compares ID/password to the DB, then asks the webserver to feed the contents of the user directory back to the user.
I'll also need something else to keep them logged in though so they can navigate the files, which I guess would be a cookie. Am I on the right track?
You could use a SESSION
session_start();// always on top of script
// post value through $_POST
$_SESSION['username'] = $username;
$_SESSION['password'] = $password;
To use it:
// all pages the need the username session
// will start by SESSION_START()
Check the manual
Ahh, I see now. It sounds like there are a few ways to do this. The easiest and least secure is to create and edit .htaccess & .htpass files, which should keep you logged in while the browser is open. The most secure appears to be using a DB and tracking the user by using SESSIONS. I like the DB and using SESSIONS option, it's safer, easier to manage in the long run, and I can customize the login. Looks I've got some code to try and write now...
Thank's everyone for your input!
Before diving in coding you might give a try to the following:
Do not let you DB_connection script at root level or anywhere by WWW
set it below www for ex where lies your CGI
it provides you with more secured way of protecting your Db_conn.