If you don't have a very high load, then you could move all not-php-files
out of htdocs-root and use a pseudo-root directory htdocs/../rawfiles as root
For example image.jpg is placed in htdocs/../rawfiles/images then access it
with /redirect.php?/images/image.jpg !
redirect.php only checks for authorization and then does a fpassthru!
that won't cost much!
> Hello all
> I have just implemented a mySQL authorization: each html and php page
> to see whether a user is logged in by checking a cookie in the user
> The user can log out and edit her profile (including password). If a page
> called without the user being logged in, he is presented with a log in
> This works very well. There is an SSL connection to the server. Only a
> value of the password is stored in the database.
> However, if I directly request a graphic (or a ZIP file etc) from the
> by entering:
> https://www.myserver.com/photo.jpg for example, I can download that file
> without being logged in (naturally).
> In the particular *intranet* project that I am working on, this is
> particularly undesirable, as only personnel at the company’s four
> may have access to the intranet. And there certainly will be a lot of
> ‘confidential’ ZIP and graphic files placed on the server.
> I do realize that if I were to place a .htaccess file in the root of the
> intranet server, I could prevent the above from happening, but then I
> the advantage of having the users profile in a database, where a user can
> easily change her password. Allowing a web user to edit a password in the
> .htaccess file poses more problems than it solves, especially as it
> certainly could occur that more than one persons wants to edit his
> Could anyone suggest a method to allow a user to easily edit his password,
> but at the same time, not allow direct access to specific non-PHP files on
> the intranet server?
> Perhaps one method would be to restrict access to the company’s four
> servers (IP addresses). However, I feel this is not to secure, and these
> could be spoofed (and this does not really solve the problem).
> Any enlightenment on this subject would be well received.
> Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
Aufgepasst - jetzt viele 1&1 New WebHosting Pakete ohne
Einrichtungsgebuehr + 1 Monat Grundgebuehrbefreiung!
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]