16

I want to have a folder, lets call it docs, that contains documents that logged in users can download. These have very sensitive information. How can I best secure the folder. I come from a PHP background so want to know if I have overlooked anything.

I will secure the folder with .htaccess and also when the users click download they are never shown the folder. The download is forced through to them via php removing the folder name.

Of course to secure the users area I am implementing sanitation and validation on all input fields plus watching out for SQLInjections. Using an SSL connection. Turned off all php warnings. The secure area uses SESSION variables to control access and re-verify users for special tasks such as changing passwords. Plus a timeout feature of 10 minutes, after which the user has to re-enter details.

I am trying to be as thorough as possible so any advice no matter how small will be welcomed.

Somk
  • 11,869
  • 32
  • 97
  • 143

2 Answers2

37

Put the files outside of the webroot. Then using PHP pass the file though a script. That way no one can link to the file directly and bypass your controls. (Naturally make sure the script that does this only after verifying the user has permission to retrieve that file).

Sample PHP:

<?php
    if (!isset($_SESSION['authenticated'])) {
        exit;
    }
    $file = '/path/to/file/outside/www/secret.pdf';

    header('Content-Description: File Transfer');
    header('Content-Type: application/octet-stream');
    header('Content-Disposition: attachment; filename=' . basename($file));
    header('Content-Transfer-Encoding: binary');
    header('Expires: 0');
    header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
    header('Pragma: public');
    header('Content-Length: ' . filesize($file));
    ob_clean();
    flush();
    readfile($file);
    exit;
?>
John Conde
  • 217,595
  • 99
  • 455
  • 496
  • As an alternative to putting files outside of the web root, you might also find some combination of file permissions that allows PHP to read the file, but doesn't allow Apache to serve it up to the world, like `chmod o-rwx`, in other words, remove permissions for 'others'. – Marcus Adams May 31 '12 at 14:28
  • I try this code and it work great but it downloads to my computer.How can I display picture from this code ? – crazyoxygen Dec 13 '12 at 03:53
  • and how about timeouts? – Flash Thunder Nov 21 '13 at 13:50
  • To link images use: http://stackoverflow.com/questions/258365/php-link-to-image-file-outside-default-web-directory – danielson317 Feb 05 '16 at 15:59
0

In addition of John Conde, you can rewrite the dl url into an other not sensible folder to honeypot the user who try to overpass their access.

And add this kind of rules in your htaccess

Options -Indexes

<files .htaccess>
  order allow,deny
  deny from all
</files>

#Add all file you want to protect except the one you share...
<FilesMatch "\.(htaccess|htpasswd|ini|phps|fla|psd|log|sh)$">
  Order Allow,Deny
  Deny from all
</FilesMatch>
Dark
  • 505
  • 4
  • 12
  • Thank you for your suggestion. Could you please explain this a little more. You are suggesting putting the download file in a honeypot folder and then blocking all of the files? – Somk Jun 01 '12 at 09:46
  • Basically, Yes ! The idea is to hide your real folder, and block all try to access to file inside the folder and outside. – Dark Jun 01 '12 at 11:52