开发者

Deny access to directory files via browser with htaccess

开发者 https://www.devze.com 2023-01-23 02:51 出处:网络
i want to deny access (from all non-logged in users) to all the files in a directory from the browser.

i want to deny access (from all non-logged in users) to all the files in a directory from the browser.

Only a logged in user can access his files in that folder. The file paths are stored in the database with the logged in user id, so that when the user logs in, he can view or download only his files.

So i dont want others (w开发者_运维技巧ithout logging in) to access the folder and files from the browser, and secondly, i want the users to be able to view only their files in the folder.

I think, Second thing i can do with some condition checks in php, but for the first one, can anyone tell me the htaccess rule to achieve ?

Thank you


dont show them the actual folder path where their files are stored.

Use a php file to fetch the downloadable content.

eg :- download.php?file=mydocument.doc

Cons :

  1. Might be slow
  2. No Download Resume support (I guess)


For the part of .htaccess user access you can take a look here at the .htaccess Password Generator


You can disable default directory browsing using .htaccess.

  • Open your .htacces file

  • Look for Options Indexes

  • If Options Indexes exists modify it to Options -Indexes or else add Options -Indexes as a new line

    The directory browsing feature should be disable by now


There's article, which describes access control feature of Apache web server thoroughly: http://httpd.apache.org/docs/2.0/howto/auth.html

The easiest variant looks in the following way:

AuthType Basic
AuthName "Restricted Files"
AuthUserFile /usr/local/apache/passwd/passwords

BTW, this part:

Only a logged in user can access his files in that folder. The file paths are stored in the database with the logged in user id, so that when the user logs in, he can view or download only his files.

will require either creation of separate password files for each folder, or some additional scripting.

There are some known issues with this approach:

  • Basic authentication scheme sends passwords as a clear text, which is not good if your site is accessible by HTTP (not HTTPS). There's also Digest authentication type, but there were some problems with browser support

  • Logout operation will require browser closing

Generally, I'd recommend:

  • Apache built-in capabilities - for simple access control without detailed users privileges/rights configuration

  • Custom access control by means of some web programming tools - for authentication scheme with supposed priveleges/rights configuration. There are many web development frameworks, which provide access control feature.


thanks for your replies, between i found a code snippet that is working just fine. I inserted the following lines in my .htaccess file:

Order deny, allow
deny from all

0

精彩评论

暂无评论...
验证码 换一张
取 消