[solved] [FC 1.5.x] secure files above DocumentRoot

Thank you. That is a good solution for my site.

Also , since you are changing the folder you can try placing it above your public_html and using something like ../mysitefiles, if your joomla installation is directly inside public_html, then above will place your folder at the same directory as public_html, preventing direct access without need of .htaccess

Please note that the above steps are needed, but are not enough to provide protection from hot-linking if access to your download field is public

in such a case someone can still hot-link to your files by adding links pointing to the download field urls.

mmm more is need, we need to also use USER SESSIONs, this will make difficult to hot-link to your urls, since someone must first visit your site and display a page containing the download link, before he can download the file.

I say very difficult because despite what some sites say, it is possible to bypass this too, since some could do this via javascript at the user browser (retrieving your page open a guest session) and then redirecting to your download link. Of course you can make this even more difficult by randomizing the download links URLs !!!

In short it is possible and it is even possible to do even for register users, but don't worry, the user session solution is almost always enough

Regards

Thank you. So with the .htaccess in the "secured" folder and the download links visible only to logged in users, the files are save from getting downloaded directly?

Yes but do not forget to set the access level of your download fields to "registered", if you FLEXIaccess then you can have more user groups than just all registered users.

For your .htaccess remember to set a username / language pair, e.g. read here:
www.addedbytes.com/lab/password- ... -htaccess/

Thank you. I think now Im sorted.