The "Freeola Customer Forum" forum, which includes Retro Game Reviews, has been archived and is now read-only. You cannot post here or create a new thread or review on this forum.
So currently I've got a login page setup that initially displays a login box. The submitted username & password are passed back to the same php page, which connects to a MySql database to ensure it is a valid user/pass combo.
If it is, the page displays all the files within a download folder. Now, I want this folder to be protected so no-one can simply type the URL of the folder (or one of the files contained within) and gain access. The only way I know of to do this is with .htaccess... If a folder is protected with .htaccess though, can I somehow unprotect it with the php page once a user has successfully logged on? Or is there some way of downloading the file with the php, as I'm under the impression server side scripts can still access .htaccess protected files/folders...?
Cheers in advance for any replies...
If it is, the page displays all the files within a download folder. Now, I want this folder to be protected so no-one can simply type the URL of the folder (or one of the files contained within) and gain access. The only way I know of to do this is with .htaccess... If a folder is protected with .htaccess though, can I somehow unprotect it with the php page once a user has successfully logged on? Or is there some way of downloading the file with the php, as I'm under the impression server side scripts can still access .htaccess protected files/folders...?
Cheers in advance for any replies...
Page:
Hmm... Odd...
I have written a download.php file to force download of the file passed to it, if the information in the $_SESSION variable (set on the logon page) is valid logon information...
However, the first line of the code checks that the relevant $_SESSION variables are set (eg. $_SESSION['username'] & $_SESSION['password']) are both set... And it says they aren't.
I've echoed the variables, and nothing displays on the page, although on the logon page they are set and display fine...
I thought $_SESSION was a global variable so any variables I set in the $_SESSION array should be set in every page yes...?
Confused...
I have written a download.php file to force download of the file passed to it, if the information in the $_SESSION variable (set on the logon page) is valid logon information...
However, the first line of the code checks that the relevant $_SESSION variables are set (eg. $_SESSION['username'] & $_SESSION['password']) are both set... And it says they aren't.
I've echoed the variables, and nothing displays on the page, although on the logon page they are set and display fine...
I thought $_SESSION was a global variable so any variables I set in the $_SESSION array should be set in every page yes...?
Confused...
Sibs wrote:
> Surely anyone can still access files though? Sounds like that'd work
> fine for .php files, but not for things you want the user to download
> or images or whatever...
Sorry, misread your post.
Ignore what I wrote.
> Surely anyone can still access files though? Sounds like that'd work
> fine for .php files, but not for things you want the user to download
> or images or whatever...
Sorry, misread your post.
Ignore what I wrote.
I shall look into that! Cheers!
Nono, much simpler than that.
Say your root webserver directory is: /usr/httpdocs/
Put the files in a folder such as: /usr/filestore/
Then have a file called "file.php" in /usr/httpdocs/ containing the following code.
// Insert code here to check the user is logged in
// If the user is valid, execute the code below:
readfile("/usr/filestore/".$_GET['filename']);
?>
When someone wants to download a file, they would click a link something like:
Download file
You may also wish to look into functions such as:
header('Content-type: application/pdf');
header('Content-Disposition: attachment; filename="downloaded.pdf"');
You should use these to tell the browser what type of file it is receiving, and you can give it a filename as well, so when the user saves it to the hard drive, it is called "mydoc.doc" rather than "file.php".
Say your root webserver directory is: /usr/httpdocs/
Put the files in a folder such as: /usr/filestore/
Then have a file called "file.php" in /usr/httpdocs/ containing the following code.
// Insert code here to check the user is logged in
// If the user is valid, execute the code below:
readfile("/usr/filestore/".$_GET['filename']);
?>
When someone wants to download a file, they would click a link something like:
Download file
You may also wish to look into functions such as:
header('Content-type: application/pdf');
header('Content-Disposition: attachment; filename="downloaded.pdf"');
You should use these to tell the browser what type of file it is receiving, and you can give it a filename as well, so when the user saves it to the hard drive, it is called "mydoc.doc" rather than "file.php".
Hmm... Interesting... I shall look into that function... However, would I need to be using something else (ie. JavaScript) to detect when the user has clicked the file link...?
How about storing the files outside of the web server directory, and then use the PHP readfile() command to stream the file to the user when it is requested.
That would work fine.
That would work fine.
gamesfreak wrote:
> For my sites, I just use a SESSION variable.
>
> When the user logs in, set a session and go the the next page.
>
> At the top of the protected page, check whether the SESSION variable
> is set, if not, redirect to the login page. If it is, display the
> page.
>
> I suddenly have a feeling this might not be safe, but it seems to
> work for me.
Surely anyone can still access files though? Sounds like that'd work fine for .php files, but not for things you want the user to download or images or whatever...
> For my sites, I just use a SESSION variable.
>
> When the user logs in, set a session and go the the next page.
>
> At the top of the protected page, check whether the SESSION variable
> is set, if not, redirect to the login page. If it is, display the
> page.
>
> I suddenly have a feeling this might not be safe, but it seems to
> work for me.
Surely anyone can still access files though? Sounds like that'd work fine for .php files, but not for things you want the user to download or images or whatever...
Thing is, I want anyone to be able to download these files, as long as they have a valid username / password...
If I only allow my IP won't I be the only one allowed to download it (and only from my own IP)...?
If I only allow my IP won't I be the only one allowed to download it (and only from my own IP)...?
For my sites, I just use a SESSION variable.
When the user logs in, set a session and go the the next page.
At the top of the protected page, check whether the SESSION variable is set, if not, redirect to the login page. If it is, display the page.
I suddenly have a feeling this might not be safe, but it seems to work for me.
When the user logs in, set a session and go the the next page.
At the top of the protected page, check whether the SESSION variable is set, if not, redirect to the login page. If it is, display the page.
I suddenly have a feeling this might not be safe, but it seems to work for me.
I think with images and files you have to deny all and allow your own IP, then it can only be accessed via a direct link on the page, which will only display if logged-in.
Page: