PHP authentication?'s

Forum Moderators: coopster

Message Too Old, No Replies

PHP authentication?'s

Questions about PHP and authentication

epsd

2:25 pm on Feb 25, 2005 (gmt 0)

I've been playing with several PHP scipts that I put together and they work (seemingly) well for protecting pages. I can log the user in, and using sessions, I can manage where they are allowed to go (and I log their login to SQL as well).

My question is (and maybe I'm just blind), how do you use this to protect non-php 'stuff'? I include a 'logged in' check on all my pages, but what about a PDF for example? Couldn't a non-logged in user reach down and pull up a PDF if they knew the address?

Do I need to combine this with some of Apache's .htaccess stuff? Anyway, great site and if anyone has any advice, etc, I'd appreciate it!

john

dmmh

5:07 pm on Feb 26, 2005 (gmt 0)

yes, you could block access to folders with htaccess, so they cant list folder contents, but ofcourse, if they know the filename and the folder...they can download it. I simply bypass this by sending the filename to a script which has the hardcoded url to the folder in it and it just looks for the filename then it sends the file. this way the user never gets to know the real dir the file is is. I use some obscure name for the folder to 'protect' it even further (like 'xhjasbpenqwie', good luck guessing)