Re: Using PHP for accsess control, preventing access to staticfiles

[Jeffrey Sambells <jeff@xxxxxxxxxxxx>]

I ran into a similar problem and came up with a slightly different  
solution...

As an alternative to passing the file directly through PHP, if you  
are running apache, you could DENY access to all files in a directory  
and then use PHP to dynamically update a local .htaccess file with  
valid sessions and use something like mod_security or a simple cookie/ 
query_string check to see if the requested file has a valid session.  
Then apache would handle the download as normal so users could use  
whatever download mechanism they want.

- jeff

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jeffrey Sambells
Director of Research and Development
Zend Certified Engineer (ZCE)

We-Create Inc.
jeff@xxxxxxxxxxxx email
519.745.7374 office
519.897.2552 mobile

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Get Mozilla Firefox at
http://spreadfirefox.com

On 27-Oct-05, at 5:45 PM, Dan Trainor wrote:

> Ben wrote:
>
> > Dan Trainor said the following on 10/27/2005 01:34 PM:
> >
> >
> > > Ben wrote:
> > >
> > >
> > > > Move the files outside the document root so that they aren't  
> > > > available
> > > > via a direct URL, then create a 'file access page' in php that will
> > > > check for the session variable and either send or not send the file
> > > > based on whether the user has access.
> > > >
> > > > - Ben
> > >
> > >
> > > Ben -
> > >
> > > I knew this, but it was the "send or not send" thing that I was
> > > concerned about ;)
> >
> >
> > Sounds like you need to have a look here:
> > http://ca3.php.net/manual/en/ref.filesystem.php
> >
> > and specifically here:
> > http://ca3.php.net/manual/en/function.fpassthru.php
> >
> > and so you can set the proper headers:
> > http://ca3.php.net/manual/en/function.filetype.php
> >
> > The on-line manual is your friend :-).
> >
> > Also, you will want to be _very_ careful about ensuring that the file
> > you are sending is in fact the file you want to be sending (ie
> > /etc/passwd would be a no-no).
> >
> > - Ben
>
> Ben -
>
> Yes, I've been playing with passthru() today, and it's quite
> interesting.  I think it's going to work.  I made a little pass- 
> through
> (pardon the pun) scriupt to do exactly what I'm looking for.
>
> I've already started working on a set of sanity checks and such for  
> the
> requested files to prevent such malicious activity.
>
> I want to thank you all again for your help.
>
> Thanks!
> -dant
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php