HomeBuilding Your WebsiteWeb Programming and Application Development

php/apache - file, directory security

joaocarmopereira posted this at 17:48 — 27th October 2008.

They have: 2 posts

Joined: Oct 2008

Hi there. I'm putting up a file sharing system in php.

Every user as a distinct username/pass from each other.

In my central page I have a login form, that after successful login, it redirects to a file manager.

How do I prevent other users to download files from each area? (using direct links like http://www.website.com/users/user_a/file.mp3 )

thanks,

João

pr0gr4mm3r posted this at 18:37 — 27th October 2008.

pr0gr4mm3r's picture

He has: 1,502 posts

Joined: Sep 2006

The only way I know of is to store those files outside the web directory so they can't be directly downloaded, and then write a downloader script. The script will accept the requested file to download, and then do the necessary checks to make sure the request is valid (valid user, they have permissions to download it, etc). Then, it reads the file and then writes it to the output (web browser in this case).

decibel.places posted this at 23:22 — 27th October 2008.

decibel.places's picture

He has: 1,494 posts

Joined: Jun 2008

How do I prevent other users to download files from each area? (using direct links like http://www.website.com/users/user_a/file.mp3 )

DO NOT use an obvious structure like the username in the URL - assign a pseudo-random id to the user (you can cross ref them in your db).

You're basically talking about ACL issues, there are some resources in this Google search

You can also use a platform with fine-grained permissions like Drupal to manage your site's content and users.

pr0gr4mm3r posted this at 23:30 — 27th October 2008.

pr0gr4mm3r's picture

He has: 1,502 posts

Joined: Sep 2006

DO NOT use an obvious structure like the username in the URL - assign a pseudo-random id to the user (you can cross ref them in your db).

Why not?

decibel.places posted this at 23:52 — 27th October 2008.

decibel.places's picture

He has: 1,494 posts

Joined: Jun 2008

Why not?

Because, especially if security is a concern, if a user knows the structure of the url for her/his own files, and discovers the usernames of other users, bingo, you've got a leak.

For that reason, on a ratings site I work on, the images are assigned a pseudo-random filename associated with the user in the db when they are uploaded, so that they are really only viewable in the site...

pr0gr4mm3r posted this at 02:08 — 28th October 2008.

pr0gr4mm3r's picture

He has: 1,502 posts

Joined: Sep 2006

Because, especially if security is a concern, if a user knows the structure of the url for her/his own files, and discovers the usernames of other users, bingo, you've got a leak.

But that's why you verify the user's session before you pass the file. If you write a PHP script that's like a download manager, you can check to make sure the permissions are verified.

Random hard-to-guess names != security. Protect them instead.

decibel.places posted this at 03:25 — 28th October 2008.

decibel.places's picture

He has: 1,494 posts

Joined: Jun 2008

I was commenting specifically on the OP's sample URL

It's critical to use verification for access

It doesn't hurt to avoid the obvious-

(I once went to a colleague's web site, password protected... guess what the log in was? uname: admin pw: admin -- funny thing is, even after I told him it was a security risk, he didn't change it...)

pr0gr4mm3r posted this at 03:59 — 28th October 2008.

pr0gr4mm3r's picture

He has: 1,502 posts

Joined: Sep 2006

(I once went to a colleague's web site, password protected... guess what the log in was? uname: admin pw: admin -- funny thing is, even after I told him it was a security risk, he didn't change it...)

True, the one biggest security risk is...the user. Laughing out loud

JeevesBond posted this at 08:21 — 28th October 2008.

JeevesBond's picture

He has: 3,956 posts

Joined: Jun 2002

Security by hiding the username is a form of security by obscurity and generally doesn't work. Smiling

Just wanted to point that out, it's an interesting subject.

a Padded Cell our articles site!

pr0gr4mm3r posted this at 14:10 — 28th October 2008.

pr0gr4mm3r's picture

He has: 1,502 posts

Joined: Sep 2006

That's the phrase I couldn't remember. I know it was o-b something, but I couldn't remember the word for the life of me. Laughing out loud

decibel.places posted this at 15:42 — 28th October 2008.

decibel.places's picture

He has: 1,494 posts

Joined: Jun 2008

Adding some extra security by obscurity couldn't hurt.

I agree that user validation is necessary - but if someone figures out how to hack that, the obscurity is another level of protection.

joaocarmopereira posted this at 22:26 — 5th November 2008.

They have: 2 posts

Joined: Oct 2008

well, my ideia is this:

i never show the user the path of the file. (is this possible?)

when a user logs in, i create a session id (among hash in the process).

i've been thinking about the function to parse the download file.

it verifies:

1. the user of the specified area is log in?
2. the user session id is valid?
3. the file is there?

if this is all true, then it outputs the file from a download file dialog box.

Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.