Site security


#1

Hello. I have a question about securing my site. I was shocked to find out that if i go to “www.mydomain.com/testfile”, i can gain access to the contents of the file even though i was not logged in to “www.mydomain.com”. How do i set it so that the only people who can gain access to “www.mydomain.com/testfile” are actually people who have first logged in at “www.mydomain.com”. Thanks.


#2

use a CGI script or php script to call in the testfile from behind the web-accessable area. This is often used with secure downloads, you have to be given access by a CMS or what ever first, and then it send you the file to download.

Becuase the ‘software’ is running on the server it has access to yoru home directory, but your site visitors only have access to web-accessable stuff.

I suspect that if you search around you can find functionality to add this into your site. Sourceforge might be a good place if a google search doesn’t turn up results.

-Matttail


#3

Matt, you know with me you have to speak simple english. What you just said was all greek to me. Now, i have been reading up on this htaccess thing. Will that not work? Thanks.


#4

htaccess will work in a way. You’ll have to have a password to get the file. so weather or not they are authenticated with stuff at yourdomain.com if they have the password they can get the file.

By your post I assumbed you wanted authentication to carry over from something you had going at your domain. To do this, you’ll have to add on some extra functionality to the software. Perhaps there is already a mod, hack, or ‘community featuere’ that someone has made that you can use for this.

If not, you’ll have to look around for some coding you can add in your self to accomplish this. I was talking about the secure downloader as this concept might carry over into your request easly.

don’t worry, you’ll learn greek eventually. :wink:

-Matttail


#5

Is there a command that can be used to see all the files inside my home dir? If so, what is it and how can i block all the files from being listed. Thanks.


#6

from a web-browser? Then there’s not really any commands you can use. As long as there is an index file in the directory you’ll get that instead of a directory list.

so if you’ve got a subdirectory and you don’t want people to see the files in it, just put a simple index.htm page there, and say something like, sorry this is the wrong place, where you looking for mydomain.com? of whatever.

-Matttail


#7

Thanks again Matt.