php / .htaccess integration? Folder Protection?

[justhost]

See the issue I am having is this. I have used php / mySQL login authentication to secure all of the php pages in the members area of a site. The problem I have is what if there are html files or pdf files in the members folder that I dont want people to have access to?

 

For example, my members folder is /public_html/members/ and I have a documents folder in there where I store pdf files for members only at /public_html/members/documents/. If I only use php for authentication (ie user/pass from mysql database) then someone can browse directly to one of the pdf files and view it without a password (ie www.domainname.com/members/documents/file1.php). The only way I know of to prevent this is with htaccess file. I need to maintain the php login which integrates with the mySQL table since the members area is customized per member?

 

Can anyone give me an idea as to what I need to do???

 

Thank you.

 

Keith G

[s0c0]

One thing you can do is prevent directory listing in apache.  In Apache 2.0 you would configure like this:

 

</Directory>
<Directory [absolute path to directory here]>
     Options MultiViews -Indexes SymLinksIfOwnerMatch IncludesNoExec
</Directory>

 

Here is an example.  I didn't want my users directory to be browseable.  My php code creates a new folder based on their username.  So here is directive I put in the /etc/apache2/sites-enabled/000-default file:

     15         </Directory>
     16         <Directory /var/www/users/>
     17          Options MultiViews -Indexes SymLinksIfOwnerMatch IncludesNoExec
     18         </Directory>

 

I hope that helps.  I think what you may need to look into is the mod_auth_mysql module though, but I am not sure.  The above directive still allows people to download and view files, but they would have to guess the url, a cracker could code a program that does that, but it's unlikely.