block e-mail request for web page

[bigdoggy59]

Environment:  Web site hosted on a Linux box.  Using CPanel's File Manager to password-protect a folder for our Sales group.

 

Problem:  One of our sales guys logged into the Sales area, opened a report, then clicked "send as e-mail" to a customer.  The customer receives the e-mail, gets a popup asking for username and password (as it should be).  She clicks "Cancel" then gets to see the report anyway (not good).  She tries again and intentionally fails the log in - and gets to see the report anyway (even more not good).  Then I get notified.

 

Question:  Is there any way in PHP to keep a password-protected page from being accessed from an e-mail?  Do I need to ignore the File Manager and build (or use) a PHP authentication class? 

 

Honestly, I didn't realize this was a security risk until now and would like to plug it before someone decides to send something more dangerous than a price sheet.

[trq]

Is there any way in PHP to keep a password-protected page from being accessed from an e-mail?

 

From email or not. Sounds like your password protection isn't working.

 

Emails simply contain links which when clicked on make a http request for the resource.

[bigdoggy59]

From email or not. Sounds like your password protection isn't working.

 

Emails simply contain links which when clicked on make a http request for the resource.

 

Until this situation occurred, I'd have said the same thing.  What's odd is that if you try to go to the page directly and don't log in, you get a 403-Access Denied.  When the page has been sent as e-mail, it still asks for the password, but then shows the page whether a login is entered or not.

[trq]

Maybe the 'send as e-mail' option actually downloads and attaches the page to the email. If that is the case, its still out of your hands.