On Wednesday 21 August 2002 08:59, Roger Lewis wrote: > I haven't been able to find much on this subject in the archives. > > Using sessions I have been able to have the server validate the user's > access level before serving him a page. I put include files on each page > that I want authenticated. This is all well and good, except on my pages > there are links to non-html, and non-php files that are stored in document > directories on the server. > > How, on a file-by-file basis, do I ensure that the user is authorized to > download these files? If he gets to them through the link I provide, this > is acceptable because he is already authorized to view the page that the > link is on. However, if he somehow knows the full path to the file, he can > get to it directly, bypassing the link and overriding the authentication > system.
Try searching the archives. It has been discussed many times before. -- Jason Wong -> Gremlins Associates -> www.gremlins.com.hk Open Source Software Systems Integrators * Web Design & Hosting * Internet & Intranet Applications Development * /* Dealing with the problem of pure staff accumulation, all our researches ... point to an average increase of 5.75% per year. -- C.N. Parkinson */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php