Topic: Secure Files Folder?

[Smitro]

hi,

I build a fair few php scripts and I'm wanting to build a script that pulls a file from a non web served directory. Bascily the script allows a file to pass through it after a couple of checks and balances are passed. I don't want people to be able ot access the files directly. eg. Only if user is logged on.

I thought that's what the files folder in an Ibay was for... That is untill I found out you can go directly to it by going http://domain/files/file_name

Is there a way I can make this folder non accessible directly? maybe getting rid of the link to the folder through /files/?

My other thought was maybe to create anouther Ibay, but don't actually link it to a domain name.

Thoughts? anyone done this before?

[Smitro]

Don't all rush at me at once...

 

[Curly]

On another ibay, you could restrict the web-access (Server-manager: Public access via web or anonymous ftp).

To prevent direct access, you could use an 'anti-leech' solution, so deny access directly and only allow acces through the script. But that's a lot of coding, so lots of possible errors. My best guess would be that you should also try to hide the path-name where the file is stored.

The best way, is to put the files outside the web-served-directory. That requires your file-serving-script to be real secure, you dont want to share any other files.

[Smitro]

I think I have the answer... This has been tested and works.

I tried my idea above of creating a new Ibay, but php wouldn't allow me to access it because of the "open_basedir" setting that resricts you to only use files in the Ibay. Which is a great idea. (I don't want other users requesting my scripts through php)

So I thought the next logical option. I created a directory in the ibay next to "html" and "files" called "secure" changed the permissions. (easy way to get this right, Login to web panel after creating the folder (as root through ssh), change the assigned group to another group, then back again and the permissions are set to the same as the rest in the folder).

And Walla! I'm done. I can't access the folder through mydomain/secure/filename.txt but I can access it through a php script. And because its done through PHP the path is hidden and as far as the user can see it's magic.  

If any one can see some obvious floors in this sort of security let me know.