Reputation: 159
Restrict access to directory for users
I'm coding a small website with login for members. Every member have a dedicated folder and I'd like to know how to deny all access to this folder from everyone except form the user when he's logged in.
For now, I've set up things like that:
1) Every folder have an .htaccess with deny from all
2) When a user logged in, I use PHP to identify the user and get his folder. I get the user's IP address and I edit the .htaccess with
order deny,allow
deny from all
allow from 178.197.XXX.XXX
3) Once the user logged out, I reset the .htaccess to deny from all again
Is there a better way? And is there security risks?
Upvotes: 0
Views: 1301
Answers (1)
Reputation: 53646
Don't use IP. One user is not equal to one IP.
Store the folders outside the document root of your web server. This way, the files can never be served directly by the web server itself.
I.e., do not serve the files directly like http://my.site.com/path/to/actual/file. Instead require that the file be requested through a proxy PHP script like http://my.site.com/getfile.php?file=name. The script would check that a user is logged in, check that a file named name exists in that user's directory, and then spew it with readfile() or similar.
Also, in general, your files should never be writable by the user that the web server process runs as -- especially your .htaccess files.
Upvotes: 1
Related Questions
- allow access to certain folder/files only for some users
- PHP protect directory from direct URL access
- .htaccess to deny directory access
- Deny access to directory files via browser with htaccess
- Restrict directory access directly entering it in browser
- how to resitrict user from accessing a folder in php?
- Prevent directory listing and files for specific user
- Give no one access in a directory .htaccess
- protect folders via htaccess
- How can I protect a directory using .htaccess?