I have some files (mp4/pdf/etc..) that I want to deploy to my webserver, but I want access to be restricted so only users who have been authenticated can access them.
The server is running centos 7 with nginx and I have a MYSQL database as well. I understand how to authenticate users using PHP but I don't know how to actually restrict the files from being accessed otherwise.
I expect to be able to provide authenticated users with some link to download the content, but any users who are not logged in will receive some error message.
Put the files outside the web server's document root so they can't be accessed directly by any user. Then create a download page in PHP that verifies your existing authentication, sets appropriate download headers, reads the file, and dumps the contents to the user.
Related
I have a PHP website on IIS 8, with authorized section.
I'd like to add a functionality so that logged in users can download files, for which have rights (information about files assigned to user are stored in database).
These files are stored on authorized FTP server (file size is 10MB-500MB).
I'd like to ask if there is some way to download just the file user has rights to, for example I was thinking about generating some unique link to a file so the user can download it, but without logging to FTP server.
If each user already has a login to the FTP server and the permissions are setup correctly on their folders - you could integrate a PHP FTP section relatively easily which uses the logged in users (of the website) FTP credentials, presuming you have them in the database and just traverse the folders returned from ftp_nlist()
http://php.net/manual/en/function.ftp-nlist.php
Here is a tutorial covering, logging in, retrieving directory contents and getting a file - the 3 things you will need
http://www.dreamincode.net/forums/topic/19945-basic-ftp-tutorial/
I blocked a directory of my client web site due to segurity issues.
In these directory there are some pdf files, that users can read logging-into the application.
In this way when they click on the pdf to download, doesn't appear the URL of the file.
By the way an hacker could find it and read these files, so I blocked the directory.
Now I need to let my users read the pdfs.
How can I do in php?
I mean, only authenticated users can read these files.
Thanks a lot!!
Since PHP runs in Apache Server it 'acts' as the Server User (e.g. www-data) it will be able to access this directory, if the www-data user has the privileges to access it. Any other authorization checks have to be done in PHP by authentication and authorization workflows.
My php website allows authorised users share documents by uploading and downloading documents to a document library.
I want to store the files encrypted on the server, and I am trying to use EFS, instead of explicitly encrypting/decrypting in php code on upload/download.
Server is windows server 2003/IIS
I have created a new user on my server, logged on as this user, then encrypted the folder containing the documents using EFS.
I now want to IIS to run my web application as so it can view the encrypted documents. However I am having trouble with this, as doesn't have all the permissions it needs, for example to write session files.
The other approac I have tried is to keep my website running under IUSR_Machine_Name built in user, and getting php to present user credentials when it wants to open a file for streaming, however, I'm stuck with this too.
Looking for advice on:
Is EFS the right approach?
What permissions would
need for IIS to use it to run my web
application?
Is there any way in php to expicitly
present user credentials at the
point where php function fopen accesses my EFS
encrypted files?
I have a PHP web application (running on Apache/Linux) that, among other things, allows some browsing of local files on the web server. Since Apache is running as a special "www" user, PHP has access to everything that "www" can access, whichever user is logged into the application.
What is the best way to limit the access to files according to the Unix filesystem privileges for the logged-in user? Ideally, I could spawn off a new process with user ID being the logged in user, but I'm not sure if that's possible. Alternatively, is there a standard PHP library somewhere that will do the permission checking and access the files?
I don't get what you mean because the user that access the files is the PHP users, not a generic user that request your page (you are not connecting to your server with SSH)
You may want to implement an ACL on top of your application to manage this rights.
And of course Zend has the solution: http://framework.zend.com/manual/en/zend.acl.html
You may take a look over http://httpd.apache.org/docs/2.0/suexec.html it should do what you need, without the need to keep a separate lsit of users and permissions in your aplications.
As far as i know, this extension is implemented on some(if not all) shared hosting services to control how resources are divided between users.
This will lead to scripts not getting executed by www-data(but by the system user), and PHP not running as a module(by CGI/fastCGI mechanisms).
This can be accomplished via a three-step process:
Create a rewrite rule (via .htaccess or the Apache config file) to redirect all requests for your "local files" to a PHP script.
Check the authentication status of the user in the script.
Use the script to load and output the file if the user is authenticated.
I am creating a PHP script for my website that would allow my clients to login to their client account and view a list of files I've uploaded for them. Then they can download them without having to relogin or re enter a password.
I want to keep it secure so anyone cant come in and download the files if they know the clients name.
I've tried .htacccess, protecting the folders, etc.. but it doesnt seem to work. I've written the client login script thatl ets them login and view a list of files in their directory but I can't have them right click to download it without having them login.
Something similar can be seen here:
http://forums.cgsociety.org/showthread.php?f=76&t=808482
In the 2nd post, if you try to click delete.jpg it won't let you download it without logging in. I want this similar feature for my site.
The site is created in PHP, with a MySQL database.
The folder itself should have security permissions set that regular users do not have access to it, only whatever user runs the PHP process.
Your PHP scripts act as a passthrough for the actual file system. The users don't have permissions to see a list of files, but your scripts do. The users don't have permissions to access a file, but your scripts do so you can open them as binary files and write the data out to be sent to the user.
Do some research into PHP File Downloaders, this is fairly standard behaviour.
You could use cookies to signify that the user has been there before, and been authenticated. Make the value of the cookie be fairly random, so it can't be guessed. I would encrypt the username . timestamp and store that with the username, so username_token and that way you can time people out and force them to login, if you want, later.
Then, move the files out of the webapp directory, and have a cgi program that will show the files in the directory, and allow them to download them.
This way you can control what people see, and what actions are allowed.