Hi Guys, Hope somebody can help me with this issue. I have 2 users, userA and userB. Both of which have login facilities. userA uploads sensitive information in the form of a PDF/doc that should only be viewed by both userA and userB. Now, for every other project ive undertook, ive just let the pdf be uploaded to lets say www.example.com/uploads/the_PDF_file. But, if I was to do the same here, everyone can see the file by just typing in the url. Any suggestions, so that the file is only viewed by userA and userB.
Cheers for the reply, Yea I have used that process before, as far as I can remember it was through the .htaccess file. Seemed a bit clunky, any other suggestions. Thanks,
When userA and userB log in a cookie could be set. Before they are able to access this /upload/ directory the cookie could be checked. If the cookie is not present, they could be redirected to a log in screen. You could give this a shot http://www.astahost.com/info.php/simple-login-script_t17724.html Code (markup):
your A,B users are like mods/admins ? then why dont you just create different directory for them and store files which got sensitive data ?! not the safest way but if you configure all it should be OK & safe or like "thewebhostingdir" said directory protection with login/pass fast & easy !
wow... none of these solutions sound good at all.... 1) .htpasswd files are so prone to dictionary attacks, rfi attacks and so forth I'm surprised people still use them, that and NO ONE wants to set them up because it's such a pain to adminster 2) cookies are completely pointless if you don't have an auth system in place -- therefore you are going to need to persist someone's session to a database... my solution: setup a basic users table in mysql for your webapp -- guaranteed that if you are having this problem now you will have it again in the future -- it's really easy to do this and then you can sleep soundly at night knowing that your users are authenticated and no one can look at the pdfs besides them on a side note, if you have a form that allows anyone to upload something to that directory right now and it's NOT locked down -- I'd would roll up your sleeves and get to work fast
If they're on the same server you could upload the file to a folder above the public_html folder, IE: /home/userA/doc and give userB permissions to view that file. No additional passwords needed outside the user logins already in place, and it won't be in a folder that is accessible on the web.