Excellent suggestion. Another recent thought I had was to put certain files outside the web root (e.g. /var/notwebroot/) and use PHP to fetch those files after authenticating through a "php fetch file" script.
Thanks Boyle!
On 4/5/06, Boyle Owen <[EMAIL PROTECTED]> wrote:
> -----Original Message-----
> From: David Bernal [mailto:[EMAIL PROTECTED] ]
> Sent: Dienstag, 4. April 2006 18:21
> To: users@httpd.apache.org
> Subject: [EMAIL PROTECTED] Secure Apache Directories
>
> Hello All,
>
> I've setup my own authentication scheme with PHP/MySQL but it
> didn't help with "non php files". For example, If i post a
> document SECURE.PDF, how do I secure it from being seen by
> the outside world?
I presume you're using cookies for session-handling: the server gives a cookie after checking the credentials and thereafter, the client submits this cookie with every request in that realm? Then, you have to pass every request through the session-handling logic - what's happening with your case is that the PDF requests are being directly served by apache.
I've never used PHP for session-handling (maybe someone who has could chip in here?) but I guess you could rewrite the request internally so that it's handled by PHP (then the user doesn't see the URL change), eg:
RewriteRule ^/subdir/(*.pdf) /phpdir/get_file.php?$1
so now a request for /subdir/wibble.pdf will be handled by /phpdir/get_file.php?wibble.pdf. You'll have to write get_file.php to read the file off the disk and return it to the client (NB: remember to set the correct mime-type). There are probably example progs on the PHP website...
Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored.
>
> I don't want to use .htaccess directory security AND my PHP
> authentication. I really just want one web-based login
> script that handles .htaccess type security for all file types.
>
> I hope this makes sense. Any direction on what I can research?
>
> Thanks,
>
> David
>
Diese E-mail ist eine private und persönliche Kommunikation. Sie hat keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. This e-mail is of a private and personal nature. It is not related to the exchange or business activities of the SWX Group. Le présent e-mail est un message privé et personnel, sans rapport avec l'activité boursière du Groupe SWX.
This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html > for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
