Welcome to WebmasterWorld Guest from 54.196.214.35

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

hiding .htpasswd access from users?

Access files in a secure directory without typing in a second password?

     
7:30 pm on Jun 10, 2005 (gmt 0)

New User

10+ Year Member

joined:June 9, 2005
posts:38
votes: 0


I have a directoy that is secured with .htaccess and .htpassword. The directory should only be accessed by registered users which are already logged in using mysql/php.

The directory will only contain a bunch of pdf files, but I dont want people that arent logged in to see the pdf files, and I dont want to enter 3000 users into the htpassword directory, and I dont really want the people that already logged in to have to log into the secure directory again.

My ideal sollution would be to have the user click on the link for the file they want to see, and have the PHP file enter the username and password of the secured directory, and open the file for the user so they dont even have to know that its secure. that way any user can look at the file, but if someone just tries to type in the direct address of the file, they'll get a password prompt.

Any ideas? Is this possible?

Andy

12:15 am on June 11, 2005 (gmt 0)

Administrator

WebmasterWorld Administrator coopster is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:July 31, 2003
posts:12533
votes: 0


Welcome to WebmasterWorld, andyd273.

Yes, it is possible, but I have never done it that way myself. I would keep the documents below the document root and if a user requests one of the docs you would authenticate them using your current database/authentication setup, read the file into a string variable, then push your own headers and the file down to their browser.

1:19 pm on June 13, 2005 (gmt 0)

New User

10+ Year Member

joined:June 9, 2005
posts:38
votes: 0


yeah, that sounds complicated too... any idea where I can look to find out how to convert from a pdf to a string and then back to a pdf? or at least something that acrobat can read?

or if anyone can give me any hints on how to do it the .htaccess/htpasswd way that would be cool to.

I dont really care how it ends up working, as long as it works :)

[edited by: andyd273 at 1:26 pm (utc) on June 13, 2005]

1:20 pm on June 13, 2005 (gmt 0)

Administrator

WebmasterWorld Administrator coopster is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:July 31, 2003
posts:12533
votes: 0


PHP Filesystem manual pages, the readfile() [php.net] function works well for this.
5:15 pm on June 13, 2005 (gmt 0)

New User

10+ Year Member

joined:June 9, 2005
posts:38
votes: 0


hmm, ok that kinda worked.
when I put the get file stuff into a php document by itself it worked great, but when I tried to put it into the normal page it echoed the file into the browser instead of asking if I wanted to download the file.

<?
echo "<html><head><title>Newsletter Archive</title></head><body>";
include_once("include/session.php");
if(!$session->logged_in){
header("Location: main.php");
}
else{
if($filename){getFile($filename);}
?>

Welcome to the Newsletter Archive.<br>
More Coming soon!<br>
<p>
<script>
function input(){
document.archive.filename.value="GMPP_Letter_10-7-2004.pdf";
document.archive.submit();
}
</script>
<form action="archive.php" id="archive" name="archive" method="post">
<input type="hidden" name="filename" id="filename">
<ul>
<li><a href="javascript:input()">GMPP Letter 10-7-2004</a></li>
</ul>
</form>
</p>

<?
}
function getFile($theFile){
header ("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header ("Content-Type: application/pdf");
header ("Content-Length: " . filesize($theFile));
header ("Content-Disposition: attachment; filename=$theFileName");
readfile($theFile);
}
echo "</body></html>";
?>

6:27 pm on June 13, 2005 (gmt 0)

New User

10+ Year Member

joined:June 9, 2005
posts:38
votes: 0


ok, I played around with it, and got it to work:

but now when it prompts to open, it always gives the file name as archive.pdf (archive.php is the name of the php file). is there a way to make it give the real file name for the pdf that it is opening?

<?
if($filename){
$path = "../../nlArchive/";
$theFile = $filename;
header ("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header ("Content-Type: application/pdf");
header ("Content-Length: " . filesize($theFile));
header ("Content-Disposition: attachment; filename=$theFileName");
readfile($path.$theFile);
}
else{
include("include/session.php");
if(!$session->logged_in){
header("Location: main.php");
}
else{
echo "<html><head><title>Newsletter Archive</title></head><body>";
?>

Welcome to the Newsletter Archive.<br>
More Coming soon!<br>
<p>
<script>
function input(){
document.archive.filename.value="GMPP_Letter_10-7-2004.pdf";
document.archive.submit();
}
</script>
<form action="archive.php" id="archive" name="archive" method="post">
<input type="hidden" name="filename" id="filename">
<ul>
<li><a href="javascript:input()">GMPP Letter 10-7-2004</a></li>
</ul>
</form>
</p>

<?
echo "</body></html>";
}
}
?>

2:52 pm on June 14, 2005 (gmt 0)

New User

10+ Year Member

joined:June 9, 2005
posts:38
votes: 0


never mind, figured it out:

header ("Content-Disposition: attachment; filename=$filename");

5:53 pm on June 14, 2005 (gmt 0)

Administrator

WebmasterWorld Administrator coopster is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:July 31, 2003
posts:12533
votes: 0


Yep, that's it. Until MS IE comes along. Were you able to get MS IE to retain that filename for you? I've had issues with it in the past (over SSL at least). There are a ton of known issues when it comes to IE and SSL/PDF work. I'll be interested if you were able to get MS IE to retain the filename.
7:24 pm on June 14, 2005 (gmt 0)

New User

10+ Year Member

joined:June 9, 2005
posts:38
votes: 0


it seems to be working fine.
I click the link for the file that I want to open, and it comes up with the right file name. I kind of trick it into picking the right name though. I found the readdir function, and so I have it automatically search through the directory and get all of the file names, add them to the list automatically, and set the filename when a link is clicked.
here is my final verion (for now anyway). tested in IE and FireFox

<?
if($filename){
$path = "../../nlArchive/";
$theFile = $filename;
header("filename=\"$filename\"");
header ("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header ("Content-Type: application/pdf");
header ("Content-Length: " . filesize($theFile));
header ("Content-Disposition: attachment; filename=$filename");
readfile($path.$theFile);
}
else{
include("include/session.php");
if(!$session->logged_in){
header("Location: main.php");
}
else{
echo "<html><head><title>Newsletter Archive</title></head><body background='../Images/bg.jpg'>";
include("include/header.php");
echo '<div id="Body" style="position:absolute; width:461px; height:392px; z-index:0; left: 306px; top: 160px; overflow: auto; overflow-x: hidden" class="bodytext">';
?>

<span class="header">Welcome to the Newsletter Archive.</span><br>
<p>
Back to [<a href="main.php">Main Page</a>]
</p>
<p>
<script>
function input(filename){
document.archive.filename.value=filename;
document.archive.submit();
}
</script>
<form action="archive.php" id="archive" name="archive" method="post">
<input type="hidden" name="filename" id="filename">
<ul>
<?
if ($handle = opendir('../../nlArchive')) {
while (false!== ($file = readdir($handle))) {
if ($file!= "." && $file!= "..") {
$temp=explode(".",$file);
echo "<li><a href=\"javascript:input('$file')\" onMouseMove=\"javascript:window.defaultStatus='welcome'\" onMouseOut=\"javascript:window.defaultStatus=''\">$temp[0]</a></li>";
}
}
closedir($handle);
}

?>
</ul>
</form>
</p>
<?
echo "</body></html>";
}
}
?>

1:56 pm on June 15, 2005 (gmt 0)

Administrator

WebmasterWorld Administrator coopster is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:July 31, 2003
posts:12533
votes: 0


Exactly, I had to trick it by specifying the filename in the link too, and that was the only workaround that was successful.

Every other brower behaves as it should, but MS IE ignores standards, RFC2616 to be specific. We have to make fake <a href> links in order for MS IE to act like a real browser that respects standards (if we don't, MS IE will not *use* the filename in the parmameter specified).

9:09 pm on June 15, 2005 (gmt 0)

New User

10+ Year Member

joined:June 9, 2005
posts:38
votes: 0


Thanks for the help and ideas. always learning
11:17 pm on June 15, 2005 (gmt 0)

Administrator

WebmasterWorld Administrator coopster is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:July 31, 2003
posts:12533
votes: 0


Thanks for taking the time to work through it, hit the issues and figure out how to resolve them. And, more importantly, sharing your findings. I thought I was the only one that ran into this issue! Like you, I'm also still learning -- aren't we all! If not, you aren't pushing it far enough yet ;)