Welcome to WebmasterWorld Guest from 50.19.156.19

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

User created Password Protected Directories

Registering a user name and password via PHP creates a private directory

     

quixotic

12:51 am on Nov 18, 2005 (gmt 0)

10+ Year Member



Okay any ideas on how do I do this?

A user goes to a page on the site:
------------------------------------------------
1. The page prompts the user to create a user ID/Password.

2. A folder is created for the user, which is protected by their user ID/Password.

3. The user is then allowed to upload/download files to the folder (and no other).

4. When they return to the site, they log in and are immediately taken to their folder.
-------------------------------------------------

Any pointers, code etc. would be greatly appreciated and reciprocated!

((((@
c(.).)
\__>

coopster

5:44 am on Nov 18, 2005 (gmt 0)

WebmasterWorld Administrator coopster is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Welcome to WebmasterWorld, quixotic.

I can talk it out in pseudocode a bit if that is what you are looking for ...

  1. Create a form that prompts the user for their user ID/Password; if they don't have one, give them an option to register/setup.
  2. Upon successful setup create a folder on the backend for this user and store the user's *home* folder path/name in the database along with their other information, userid, password, email, home folder, etc.
  3. Setup a script which allows the user to upload/download files to their folder only. Basically, after they login they can go to your page that allows for file uploads and upon a successful file upload you move the uploaded file to the directory on record for the currently authenticated user.
  4. By default when a user performs an initial login they are immediately taken to their folder. You can do this by checking the database for their *home* folder.

quixotic

4:41 pm on Nov 18, 2005 (gmt 0)

10+ Year Member



Thank you very much Coopster. This definitely helps, I think I only need one more piece of the puzzle.

2. is the most difficult for me:
I can use mkdir to create the folder for the user, but I can't figure out how to lock read/write/execute priveledges to just the user.

For instance,

mkdir("/user",0700);

would create the user's folder, and while the permissions are locked to the "owner", the "owner" is the webserver, not the person currently logged in when the script is called.

Thanks again!

quixotic

8:38 pm on Nov 18, 2005 (gmt 0)

10+ Year Member



okay i think i might have answered my own question... I'm new to the world of security, but if i do this:

mkdir("/user",0700);

only the webserver has access to user. But it doesn't matter since I should be able to make a PHP page that compares ID/password to the DB, then asks the webserver to feed the contents of the user directory back to the user.

I'll also need something else to keep them logged in though so they can navigate the files, which I guess would be a cookie. Am I on the right track?

henry0

5:10 pm on Nov 19, 2005 (gmt 0)

WebmasterWorld Senior Member henry0 is a WebmasterWorld Top Contributor of All Time 10+ Year Member



You could use a SESSION

To initiate:

session_start();// always on top of script
// post value through $_POST
$username=$_POST['username'];
$password=$_POST['password'];

$_SESSION['username'] = $username;
$_SESSION['password'] = $password;

To use it:
session_start()
$username=$_SESSION['username'];
// etc...
// all pages the need the username session
// will start by SESSION_START()

Check the manual
[us2.php.net...]

quixotic

5:22 pm on Nov 21, 2005 (gmt 0)

10+ Year Member



Ahh, I see now. It sounds like there are a few ways to do this. The easiest and least secure is to create and edit .htaccess & .htpass files, which should keep you logged in while the browser is open. The most secure appears to be using a DB and tracking the user by using SESSIONS. I like the DB and using SESSIONS option, it's safer, easier to manage in the long run, and I can customize the login. Looks I've got some code to try and write now...

Thank's everyone for your input!

henry0

6:24 pm on Nov 21, 2005 (gmt 0)

WebmasterWorld Senior Member henry0 is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Before diving in coding you might give a try to the following:
Do not let you DB_connection script at root level or anywhere by WWW
set it below www for ex where lies your CGI
it provides you with more secured way of protecting your Db_conn.