Hello all
I have just implemented a mySQL authorization: each html and php page checks
to see whether a user is logged in by checking a cookie in the user browser.
The user can log out and edit her profile (including password). If a page is
called without the user being logged in, he is presented with a log in form.
This works very well. There is an SSL connection to the server. Only a hash
value of the password is stored in the database.
However, if I directly request a graphic (or a ZIP file etc) from the site,
by entering:
https://www.myserver.com/photo.jpg for example, I can download that file
without being logged in (naturally).
In the particular *intranet* project that I am working on, this is
particularly undesirable, as only personnel at the company’s four locations
may have access to the intranet. And there certainly will be a lot of
‘confidential’ ZIP and graphic files placed on the server.
I do realize that if I were to place a .htaccess file in the root of the
intranet server, I could prevent the above from happening, but then I loose
the advantage of having the users profile in a database, where a user can
easily change her password. Allowing a web user to edit a password in the
.htaccess file poses more problems than it solves, especially as it
certainly could occur that more than one persons wants to edit his password
simultaneously.
Could anyone suggest a method to allow a user to easily edit his password,
but at the same time, not allow direct access to specific non-PHP files on
the intranet server?
Perhaps one method would be to restrict access to the company’s four gateway
servers (IP addresses). However, I feel this is not to secure, and these IPs
could be spoofed (and this does not really solve the problem).
Any enlightenment on this subject would be well received.
TIA
S.
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
