httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boyle Owen" <>
Subject RE: [users@httpd] Secure Apache Directories
Date Wed, 05 Apr 2006 06:41:38 GMT
> -----Original Message-----
> From: David Bernal [] 
> Sent: Dienstag, 4. April 2006 18:21
> To:
> Subject: [users@httpd] Secure Apache Directories
> Hello All,
> I've setup my own authentication scheme with PHP/MySQL but it 
> didn't help with "non php files".  For example, If i post a 
> document SECURE.PDF, how do I secure it from being seen by 
> the outside world?

I presume you're using cookies for session-handling: the server gives a cookie after checking
the credentials and thereafter, the client submits this cookie with every request in that
realm? Then, you have to pass every request through the session-handling logic - what's happening
with your case is that the PDF requests are being directly served by apache.

I've never used PHP for session-handling (maybe someone who has could chip in here?) but I
guess you could rewrite the request internally so that it's handled by PHP (then the user
doesn't see the URL change), eg:

RewriteRule ^/subdir/(*.pdf) /phpdir/get_file.php?$1

so now a request for /subdir/wibble.pdf will be handled by /phpdir/get_file.php?wibble.pdf.
You'll have to write get_file.php to read the file off the disk and return it to the client
(NB: remember to set the correct mime-type). There are probably example progs on the PHP website...

Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 

> I don't want to use .htaccess directory security AND my PHP 
> authentication.  I really just want one web-based login 
> script that handles .htaccess type security for all file types.
> I hope this makes sense.  Any direction on what I can research?
> Thanks,
> David
Diese E-mail ist eine private und persönliche Kommunikation. Sie hat keinen Bezug zur Börsen-
bzw. Geschäftstätigkeit der SWX Gruppe. This e-mail is of a private and personal nature.
It is not related to the exchange or business activities of the SWX Group. Le présent e-mail
est un message privé et personnel, sans rapport avec l'activité boursière du Groupe SWX.
This message is for the named person's use only. It may contain confidential, proprietary
or legally privileged information. No confidentiality or privilege is waived or lost by any
mistransmission. If you receive this message in error, please notify the sender urgently and
then immediately delete the message and any copies of it from your system. Please also immediately
destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose,
distribute, print, or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail communications through their
networks. Any views expressed in this message are those of the individual sender, except where
the message states otherwise and the sender is authorised to state them to be the views of
the sender's company.

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message