Need a little help with access control to files..


I need to make some files available to staff users of a site.. I have created a page thats only accessible by the staff and used "filetree" ( ) to format and display the files and directories..

Obviously the links to the files are not under the access controls of the website.. So knowing the link would allow anyone to access them..

Is mod_setenvif the best way to do this?

Something like..

SetEnvIf Referer allowedaccess
 <directory path="" to="" files="">Order Deny,Allow
Deny from all
Allow from env=allowedaccess</directory> 

Or is there a better way?


3 Replies

Solved it using the code above but without the directives.. Just dropped it into a .htaccess..

If there is a better way I would like to hear it but as a start this seems to be working.. :)

Referer cannot be trusted, as it is sent by the browser and very easily guessed (or easily disabled, which would break things annoyingly). Indeed, if you're implementing this the way I think you're implementing it, someone need only know the URL to the secure page to get access to the secured files. Probably not good. Two better alternatives:

1) Make the files subject to the website's access controls, somehow. Depending on how your application stores authentication credentials, Apache might be able to work with it, or you can set up a second set of usernames/passwords (see here). However, if your application uses cookie-based login, this would result in the dreaded, annoying double-sign-in.

2) Use some sort of secure token for providing access. lighttpd's mod_secdownload is a good example of this approach; Amazon S3's query string authentication is another. The gist is that your application and web server have a secret that only they know; based on this, your application tells the user's web browser "psst, tell the web server that it's a half past midnight and the blue cow leaps over the dingo's kidney"… the browser does so and the web server hands over the secret documents after consulting its codebook.

I don't know of a way to implement this with Apache, but someone's probably done it!

Hi Hoopycat,

The site is driven by Drupal so is using cookies and as you have noted I didn't want to have a double login.. I tried the "private files" option in Drupal which would have solved it but it doesn't play nicely with the "filetree" module because the files are not "know" to Drupal and so the links are not delivered correctly..

mod-auth-token would be cool to use but since I am not a coder I wouldn't know how to add this to the Drupal filetree module so the URL's would be generated as required..

As usual I am limited by my coding skills so have to make use of whats been created in the open source community.. :)


Please enter an answer

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct