Forbid access to files in a simple PHP login system

Question

I wrote this VERY simple PHP login system:

<?php
    session_start();
    $error = '';

    if (isset($_POST['username']) && isset($_POST['password']))
    {
        if ($_POST['username'] == 'user' && $_POST['password'] == 'pass')
        {
            $_SESSION['client'] = 'ok';
            Header ("location: /kit/kit/index.php");
        }
        else
        {
            $error = 'Usuario o contrase&ntilde;a incorrectos.';
        }
    }

?>

Don´t worry about the vulnerability issues, it´s not protecting anything valuable.

In every .php page i add:

<?php
    session_start();

    if (!isset($_SESSION['client']) || $_SESSION['client'] != 'ok')
    {
        Header ("location: /kit/index.php");
        die();
    }

?>

This protects the .php sessions just fine.

The problem is that this doesn´t protect the files.

I mean if go directly to:

something/other/file.zip

it will download it wether you have loged in or not.

I hope the question is clear enough, if not, please ask!

Answer 1

To stop a user from seeing the directory, all you need to do is create an index page in that folder. Ex: index.htm, index.html, default.htm, default.html.

To stop a user from entering the folder (e.g. stop anyone from viewing http://www.yoursite.com/myFolder/), you may need to access some features of your web host. Some hosts allow you to password protect files or folders. You can also create an .htaccess file/folder

An htaccess file is a simple ASCII file, such as you would create through a text editor like NotePad or SimpleText. Many people seem to have some confusion over the naming convention for the file, so let me get that out of the way.

.htaccess is the file extension. It is not file.htaccess or somepage.htaccess, it is simply named .htaccess

Create the file

In order to create the file, open up a text editor and save an empty page as .htaccess (or type in one character, as some editors will not let you save an empty page). Chances are that your editor will append its default file extension to the name (ex: for Notepad it would call the file .htaccess.txt). You need to remove the .txt (or other) file extension in order to get yourself htaccessing--yes, I know that isn't a word, but it sounds keen, don't it? You can do this by right clicking on the file and renaming it by removing anything that doesn't say .htaccess. You can also rename it via telnet or your ftp program, and you should be familiar enough with one of those so as not to need explaining.

htaccess files must be uploaded as ASCII mode, not BINARY. This makes the file usable by the server, but prevents it from being read by a browser, which can seriously compromise your security. (For example, if you have password protected directories, if a browser can read the htaccess file, then they can get the location of the authentication file and then reverse engineer the list to get full access to any portion that you previously had protected. There are different ways to prevent this, one being to place all your authentication files above the root directory so that they are not www accessible, and the other is through an htaccess series of commands that prevents itself from being accessed by a browser, more on that later)

JUST INCASE stop users from downloading your file

store all things that are downloadable ourside your document root. which means before the public_html file.

EDIT: updated the section below to show graphical representation of folder structure

how do you access them then?

work
    downloadableFiles
        downloadables
        -    memberOnlyFile.zip
        -    welcomePackage.zip
        -    memberhshipVideoVideo.mov    
        photos
        -    photo1.jpeg
        -    photo2.jpeg
    publi    c_html
    -   index.htm
        About
        -    about.html             
        -    about.gif
        LogIn
        -    login.htm
        -    loginScreen.htm
        -    loginFancyButton.gif

Now anything in the public_html folder the world can see through your website.

Anything outside your public_html folder, will not be visible directly to the world through your website by typing the file name into the address bar in their browser. so thats a good thing as we are going to save all our files that we dont want to give access to outside of the public_html folder.

Now say if you want a certain user to be able to download a file, say maybe a logged in user, you can still make the file downloadable by having a link to that file.

If we are at the login Page, to access the loginScreen webpage you just write down the hyperlink like so:

<a href="loginScreen.htm">login screen</a>

since that page is on the same folder. now if you want to allow a user to be able to download a file from the downloadable files folder which is outside the public_html folder since it is not in that folder it self youjust reference to it like so:

How would we get to that folder if we are in the login folder as we are viewing the loginScreen.htm page, you go one folder back so we end up being in the public_html folder. then we go another folder back so we are in the work folder.

so it would look like this so far.

../../ which means two folders back.

then to access the memberonlypath.zip we then need to go into the downloadableFiles folder then we need to get into the downloadable files and then we can link it to the file membersOnlyFile.zip which is the file we were lookng for before.

so the full link now becomes

<a href="../../downloadableFiles/downloadable/membersOnlyFile.zip">download file</a>

This way the user cannot access the file by simply typing it on the address bar but can download it if you reference it yourself like the above.

Hope this helps

PK

Answer 2

Store all files you don't want downloaded outside the DocumentRoot.