Can I use $_SESSION to limit access to directories?

> > <a href='../../dlcounter.php?file=$_SESSION['uid']>somefile.zip</a>
>
> I would suggest NOT doing so. What prevents me from typing any username in
> my browser's location bar?

10-4.

> > The problem with using the session variable is that the session is lost
when
> > going from the SSL-encrypted private user page to the dlcounter.php
script.
>
> Then transmit the session ID in the URL when moving to SSL zone. Check
> this:
>
> http://es.php.net/manual/en/function.session-id.php
>
> Or you can also use SSL since login.

That would be the best solution, I think.

> > $dlpath = 'home/myacct/someuser/'.$dlfile;
> > break;
> > default:
> > $dlpath = 'http://www.mysite.com/PublicDownload/'.$dlfile;
> > }
> > header("Content-Type: application/octet-stream");
> > header("Content-Disposition: attachment; filename=".$dlfile);
> > readfile($dlpath);
> >
> > The download dialog appears, but the download fails becuase path to the
file
> > is getting screwed up. In the File Download dialog, the File Name
appears
> > not at "test.txt", but as a url to dlcounter.php. Perhaps this is
because
> > it's looking for a SSL-encrypted path? How to get it to go to the
correct
> > path? Is this possible when connecting to an SSL-encrypted
dlcounter.php?
>
> I'll try to explain myself better. The problem is that you can't password
> protect directories. So we've moved files outside the web server root and
> we are using a script to download them. If your script loads files from
> within the web server root, we're doing nothing! Your users can override
> the script and point their browsers to the actual URL. You want your
script
> to read from the *file system*, from a directory that's hidden to
browsers.

I understand. In the code snippet above, I switch on user ID - if the user
ID is not set, then the default is to download from the publicDownload
directory. if the user ID *is* set, then /home/myacct/someuser/ is a
directory outside of public_html.

What I'm tying to do (which may be a mistake) is to use the same download
script to log public downloads as well as private downloads. To so this, I
need to pass variables into the script. I was thinking I would pass in the
file name and the user name. But apparently, anyone can send variables into
the script, and potentially guess what the username and/or file is. So I'm
thinking the download script for private files needs to be embedded in the
private, SSL-encrypted page where the links to the private files are. I
will keep working on this...

Thanks again for the help. Your comments have helped a lot.

*** deko escribió/wrote (Mon, 14 Mar 2005 20:17:33 GMT):
> I understand. In the code snippet above, I switch on user ID - if the user
> ID is not set, then the default is to download from the publicDownload
> directory. if the user ID *is* set, then /home/myacct/someuser/ is a
> directory outside of public_html.

Yep, you're right, I read the code too quickly. You miss a leading / but
the rest seems okay.

> What I'm tying to do (which may be a mistake) is to use the same download
> script to log public downloads as well as private downloads.

The approach looks good to me.



--
-+ Álvaro G. Vicario - Burgos, Spain
+- http://www.demogracia.com (la web de humor barnizada para la intemperie)
++ No envíes tu dudas a mi correo, publícalas en el grupo
-+ Do not send me your questions, post them to the group
--