[thelist] how to protect downloadable docs in members only area

Mon Oct 15 04:07:51 CDT 2007

But users can still 'guess' fuile locations... and bypass the login
area that way...
Unless you emply a random number system to file names... ?
that'll slow them down..!

On 15/10/2007, Simon Harrison <sharrison at mzl.com> wrote:
>
> Try creating a session varaible as you log in, and look for that session
> variable at the head of every secure page. No session variable, no
> entry.
>
>
>
> -----Original Message-----
> From: thelist-bounces at lists.evolt.org
> [mailto:thelist-bounces at lists.evolt.org] On Behalf Of Tris
> Sent: 15 October 2007 10:01
> To: thelist at jarmin.com; thelist at lists.evolt.org
> Subject: Re: [thelist] how to protect downloadable docs in members only
> area
>
>
> I used to keep the files outside of the www DIR... and then created a
> downlaod page, (with a login checker) and then used the header()
> function to asign the correct mime type and pass the file to the
> user...
>
> Does that makes sence?
> it worked great for me, and no one could guess the URL direct to the
> files, cuase there were none!
>
> let me know if you need more info..
>
> Tris...
>
>
> On 15/10/2007, iris <thelist at jarmin.com> wrote:
> > good morning everyone
> >
> > i've got a website that has a password protected members' area (php
> > login system).  physically the content is all located within a
> /members/
> > folder.  within this is a documents folder with word, powerpoint etc
> > docs which can be downloaded from within the members' area (i.e. only
> if
> > logged in).
> >
> > however, if someone knew the exact location of a document
> > (http://example.com/members/docs/example.doc) they could get to them
> > without being logged in.
> >
> > how do i protect these documents from unauthorised access?
> >
> > i tried the htaccess file approach, passing the login instructions in
> > the links, so that those logged in don't have to log in again. e.g.
> > <a
> href="http://username:password@example.com/members/docs/example.doc">
> > but i discovered that IE doesn't play nice if the security setting are
> > set too high (middle being too high).  since the users of this site
> are
> > mostly on university computers and might not have rights to change
> these
> > settings, i've decided that this is a bad method.
> >
> > has anybody got another solution for me?
> >
> > also, are the documents save from search engines? (i don't really
> trust
> > them to follow the instructions in robot.txt)
> >
> > thank you so very much
> >
> > iris
> >
> > --
> >
> > * * Please support the community that supports you.  * *
> > http://evolt.org/help_support_evolt/
> >
> > For unsubscribe and other options, including the Tip Harvester
> > and archives of thelist go to: http://lists.evolt.org
> > Workers of the Web, evolt !
> >
>
>
> --
> Give a man a fish and he'll feed himself for a day.
> Give a man a religion and he'll starve to death praying for a fish.
> Anon
>
> `We are what we pretend to be, so we must be careful what we pretend to
> be.`
> Kurt Vonnegut
>
> `When a person can no longer laugh at himself, it is time for others
> to laugh at him.`
> Thomas Szasz
> --
>
> * * Please support the community that supports you.  * *
> http://evolt.org/help_support_evolt/
>
> For unsubscribe and other options, including the Tip Harvester
> and archives of thelist go to: http://lists.evolt.org
> Workers of the Web, evolt !
> --
>
> * * Please support the community that supports you.  * *
> http://evolt.org/help_support_evolt/
>
> For unsubscribe and other options, including the Tip Harvester
> and archives of thelist go to: http://lists.evolt.org
> Workers of the Web, evolt !
>

-- 
Give a man a fish and he'll feed himself for a day.
Give a man a religion and he'll starve to death praying for a fish.
Anon

`We are what we pretend to be, so we must be careful what we pretend to be.`
Kurt Vonnegut

`When a person can no longer laugh at himself, it is time for others
to laugh at him.`
Thomas Szasz