httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Bernal" <>
Subject Re: [users@httpd] Secure Apache Directories
Date Wed, 05 Apr 2006 16:07:38 GMT
Excellent suggestion.  Another recent thought I had was to put certain files
outside the web root (e.g. /var/notwebroot/) and use PHP to fetch those
files after authenticating through a "php fetch file" script.

Thanks Boyle!

On 4/5/06, Boyle Owen <> wrote:
> > -----Original Message-----
> > From: David Bernal []
> > Sent: Dienstag, 4. April 2006 18:21
> > To:
> > Subject: [users@httpd] Secure Apache Directories
> >
> > Hello All,
> >
> > I've setup my own authentication scheme with PHP/MySQL but it
> > didn't help with "non php files".  For example, If i post a
> > document SECURE.PDF, how do I secure it from being seen by
> > the outside world?
> I presume you're using cookies for session-handling: the server gives a
> cookie after checking the credentials and thereafter, the client submits
> this cookie with every request in that realm? Then, you have to pass every
> request through the session-handling logic - what's happening with your case
> is that the PDF requests are being directly served by apache.
> I've never used PHP for session-handling (maybe someone who has could chip
> in here?) but I guess you could rewrite the request internally so that it's
> handled by PHP (then the user doesn't see the URL change), eg:
> RewriteRule ^/subdir/(*.pdf) /phpdir/get_file.php?$1
> so now a request for /subdir/wibble.pdf will be handled by
> /phpdir/get_file.php?wibble.pdf. You'll have to write get_file.php to read
> the file off the disk and return it to the client (NB: remember to set the
> correct mime-type). There are probably example progs on the PHP website...
> Rgds,
> Owen Boyle
> Disclaimer: Any disclaimer attached to this message may be ignored.
> >
> > I don't want to use .htaccess directory security AND my PHP
> > authentication.  I really just want one web-based login
> > script that handles .htaccess type security for all file types.
> >
> > I hope this makes sense.  Any direction on what I can research?
> >
> > Thanks,
> >
> > David
> >
> Diese E-mail ist eine private und persönliche Kommunikation. Sie hat
> keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. This e-mail
> is of a private and personal nature. It is not related to the exchange or
> business activities of the SWX Group. Le présent e-mail est un message privé
> et personnel, sans rapport avec l'activité boursière du Groupe SWX.
> This message is for the named person's use only. It may contain
> confidential, proprietary or legally privileged information. No
> confidentiality or privilege is waived or lost by any mistransmission. If
> you receive this message in error, please notify the sender urgently and
> then immediately delete the message and any copies of it from your system.
> Please also immediately destroy any hardcopies of the message. You must not,
> directly or indirectly, use, disclose, distribute, print, or copy any part
> of this message if you are not the intended recipient. The sender's company
> reserves the right to monitor all e-mail communications through their
> networks. Any views expressed in this message are those of the individual
> sender, except where the message states otherwise and the sender is
> authorised to state them to be the views of the sender's company.
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:> for more info.
> To unsubscribe, e-mail:
>   "   from the digest:
> For additional commands, e-mail:

View raw message