Forum Moderators: phranque
I'm having a little problem with security using .htaccess..
I have different and exclusive content for diferent users, and I don't want unauthorized users to access the files via URl. For example:
- User Foo logs in
- User Foo only has access to file1.pdf
- User Foo clicks on the link to download file1.pdf
- User Foo2 logs in
- User Foo2 only has access to file2.pdf
- User Foo2 clicks on the link to download file2.pdf
- User Foo2 tries to download file1.pdf modifying the URL at the address bar:
[mysite.com...] -> [mysite.com...]
(This was exclusive content to user Foo.. so a security flaw has occured..)
I've tried to «block» all the access to a specific folder on the server using .htaccess, but that way my site's framework can't access the file either.. And that's the main problem.. Blocking everyone from accessing files except my framework..
I was trying to use the next code in .htaccess
Options -Indexes
order deny,allow
deny from all
allow from localhost
#also tried: allow from server_IP
ErrorDocument 403 /error_403.html
but with no success.. I always get the 403: Forbiden error.
Is there a way to accomplish the desired result?
Thanks in advance,
Ed
user, power, admin, that kind of thing
put all files for each group into seperate folders
dunno what from here cos i use DMX, all i have to do is select a page and say that if the current logged in user is not admin, then redirect him
having stuff in seperate folders will help, as you should be able to create permissions for them
also you could try making your page only display the links he is allowed to download, That way, he cant read the status bar and key in the url
Also slap an index.htm file in each folder so that the page will display and not a list of files
not much i'm afraid, dunno anything about .htaccess, but those are pretty standard things that you can do that will help
