Reputation: 7094
Deny access to directory files via browser with htaccess
i want to deny access (from all non-logged in users) to all the files in a directory from the browser.
Only a logged in user can access his files in that folder. The file paths are stored in the database with the logged in user id, so that when the user logs in, he can view or download only his files.
So i dont want others (without logging in) to access the folder and files from the browser, and secondly, i want the users to be able to view only their files in the folder.
I think, Second thing i can do with some condition checks in php, but for the first one, can anyone tell me the htaccess rule to achieve ?
Thank you
Upvotes: 0
Views: 4213
Answers (5)
Reputation: 7094
thanks for your replies, between i found a code snippet that is working just fine. I inserted the following lines in my .htaccess file:
Order deny, allow
deny from all
Upvotes: 0
Reputation: 10880
dont show them the actual folder path where their files are stored.
Use a php file to fetch the downloadable content.
eg :- download.php?file=mydocument.doc
Cons :
- Might be slow
- No Download Resume support (I guess)
Upvotes: 1
Reputation: 7780
There's article, which describes access control feature of Apache web server thoroughly: http://httpd.apache.org/docs/2.0/howto/auth.html
The easiest variant looks in the following way:
AuthType Basic
AuthName "Restricted Files"
AuthUserFile /usr/local/apache/passwd/passwords
BTW, this part:
Only a logged in user can access his files in that folder. The file paths are stored in the database with the logged in user id, so that when the user logs in, he can view or download only his files.
will require either creation of separate password files for each folder, or some additional scripting.
There are some known issues with this approach:
Basic authentication scheme sends passwords as a clear text, which is not good if your site is accessible by HTTP (not HTTPS). There's also Digest authentication type, but there were some problems with browser support
Logout operation will require browser closing
Generally, I'd recommend:
Apache built-in capabilities - for simple access control without detailed users privileges/rights configuration
Custom access control by means of some web programming tools - for authentication scheme with supposed priveleges/rights configuration. There are many web development frameworks, which provide access control feature.
Upvotes: 0
Reputation: 26350
For the part of .htaccess user access you can take a look here at the .htaccess Password Generator
Upvotes: 1
Reputation: 1664
You can disable default directory browsing using .htaccess.
Open your .htacces file
Look for Options Indexes
If Options Indexes exists modify it to Options -Indexes or else add Options -Indexes as a new line
The directory browsing feature should be disable by now
Upvotes: 0
Related Questions
- Deny directory and file access with both htaccess and PHP
- Stop access to files in a directory on the browser with htaccess
- .htaccess to deny directory access
- Deny direct access to files in folder
- .htaccess deny access to just PHP files
- Deny direct access to files using htaccess
- Restrict directory access directly entering it in browser
- Prevent access to files from Apache without .htaccess
- .htaccess deny access to folder
- Disable access to files