[solved] [FC 1.5.x] secure files above DocumentRoot

Hi there,

Looks like the "Path to secure files folder" in the general settings does not accept absolute paths to directories above / outside the DocumentRoot.
If so, in which way is the "secure" option more secure than the default one? What sort of protection is actually added?
From my experience with other scripts allowing secure downloads, the only feasible method to actually prevent hot linking and keep files away from prying eyes is by placing the files above the DocumentRoot.

For intra and extranets where highly confidential data is moved, any solution which does not contemplate what i have just described might be delusional and compromising.

An explanation and possible workarounds would be much welcome.

This is an outstanding issue we are willing to address ourselves.
Would be interesting to add this to the dev branch once we finish it.

cool thanks for devellopping for this project
regards

Hello!

Did this development take place? Is it now possible to store files outside the joomla directory? Thanks.

i didn't think ... :oops:

The download field plugin:
(a) checks access level of the user before it allows downloading, and
(b) also does not reveal the location of the file (it can reveal the filename if you allow),

So you can do these:

1. change secure folder in Global config
2. rename folder via ftp
3. -optionally- you could also add an .htaccess file with password inside the folder

you are done,
people will never know the real location of the file, and if they do find URL in some way, they will not be able to download it, because it is protected by the web server.

I guess we could automate the above 3 steps, randomizing the folder name and adding an .htaccess in the folder with some random password (will work for apache servers only)

Thank you. That is a good solution for my site.

Also , since you are changing the folder you can try placing it above your public_html and using something like ../mysitefiles, if your joomla installation is directly inside public_html, then above will place your folder at the same directory as public_html, preventing direct access without need of .htaccess

Please note that the above steps are needed, but are not enough to provide protection from hot-linking if access to your download field is public

in such a case someone can still hot-link to your files by adding links pointing to the download field urls.

mmm more is need, we need to also use USER SESSIONs, this will make difficult to hot-link to your urls, since someone must first visit your site and display a page containing the download link, before he can download the file.

I say very difficult because despite what some sites say, it is possible to bypass this too, since some could do this via javascript at the user browser (retrieving your page open a guest session) and then redirecting to your download link. Of course you can make this even more difficult by randomizing the download links URLs !!!

In short it is possible and it is even possible to do even for register users, but don't worry, the user session solution is almost always enough

Regards

Thank you. So with the .htaccess in the "secured" folder and the download links visible only to logged in users, the files are save from getting downloaded directly?

Yes but do not forget to set the access level of your download fields to "registered", if you FLEXIaccess then you can have more user groups than just all registered users.

For your .htaccess remember to set a username / language pair, e.g. read here:
www.addedbytes.com/lab/password- ... -htaccess/