473,653 Members | 3,000 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

direct link prevention on apache

I'm using PHP 4.3 and APACHE2.0. I have a website that requires people
to log in before they can download files from my website. A person is
logged in if there is a session-variable $logged_in set to TRUE.

How can I prevent people from downloading a file (f.e. myfile.doc)
without being logged in when they know the direct link to the file
(http://www.mysite.com/somedir/myfile.doc)?

Putting the file in an obscure place by working with random numbers
(http://www.mysite.com/13ds5fd1g/myfile.doc) is not a solution for me.

The other solution of using a scriptfile like download.php as a gateway
to serve the file and restricting all other access to the directory with
a .htaccess file is also not an option, because this doesn't work
perfectly in older brwosers that don't handle the headers(Content ...)
correctly.

I would like Apache to handle this. If one requests a file in a certain
directory, I want apache to check if the user is logged in or not by
calling a file like download.php. If he is logged in than the requested
file is served by apache (not by the download.php file acting as a
gateway). I was thinking to use mod_rewrite, but I don't think this
works because it will keep on rewriting the url to go to the
download.php file. Even if I'm coming from that place. Also using
HTTP_REFERER is not a good idea because a lot of firewalls prevent this
information.

Is this simply impossible? Can I use mod_rewrite for this and how? Are
there other possibilities?

Thanks
Jan Bols

Jul 17 '05 #1
3 4045
Jan Bols wrote:
I'm using PHP 4.3 and APACHE2.0. I have a website that requires people
to log in before they can download files from my website. A person is
logged in if there is a session-variable $logged_in set to TRUE.

How can I prevent people from downloading a file (f.e. myfile.doc)
without being logged in when they know the direct link to the file
(http://www.mysite.com/somedir/myfile.doc)?
Don't offer a direct link to the file. Or, alternatively, preprocess
every request for the file through a module (or mod_perl or
mod_[whatever] function that checks for a certain cookie or whatever you
use for login credentials). You would make this a rule in httpd.conf or
..htaccess.
Putting the file in an obscure place by working with random numbers
(http://www.mysite.com/13ds5fd1g/myfile.doc) is not a solution for me.
Good. That's lame.
The other solution of using a scriptfile like download.php as a gateway
to serve the file and restricting all other access to the directory with
a .htaccess file is also not an option, because this doesn't work
perfectly in older brwosers that don't handle the headers(Content ...)
correctly.
What browsers are you talking about? Ones dating back to 1995? If you
form your headers correctly and spit out the right MIME type and
CVontent-length, the file will get a name properly in any major browser
made from 1997 on. If it's not working for you, it's your bug. It seems
to work well enough for CNet, Tucows and a zillion other big download
sites, so what are you concerned about? Why do you care about users with
ancient, broken browsers? Isn't 6 years a long enough cutoff age for
this kind of feature support?
I would like Apache to handle this. If one requests a file in a certain
directory, I want apache to check if the user is logged in or not by
calling a file like download.php. If he is logged in than the requested
file is served by apache (not by the download.php file acting as a
gateway). I was thinking to use mod_rewrite, but I don't think this
works because it will keep on rewriting the url to go to the
download.php file. Even if I'm coming from that place. Also using
HTTP_REFERER is not a good idea because a lot of firewalls prevent this
information.


A lot of firewalls block referrers? Or a few run at home by lunatics?
regardless, referers really aren't the best way to do it anyway.

In any case, forget mod_rewrite for the moment. Just set the *.doc file
extension in a certain directory to execute as PHP in your httpd.conf or
..htaccess, and have mydoc.doc be a PHP script that checks login creds
and pipes out the .doc file contents. Or if you want unique filenames,
then add mod_rewrite to the mix so that a request for
/download/foo123.doc executes download.php and treats foo123 as an argument.

-sk

Jul 17 '05 #2
Tough nut to crack. All I can think of is to dynamically adds the client's
IP address to a .htaccess file, then redirect the browser to the URL
pointing to the file. The IP address should be saved to a session variable
so that you can remove it from .htaccess when the session expires.

Uzytkownik "Jan Bols" <ja*@ivpv.ugent .be> napisal w wiadomosci
news:bq******** **@gaudi2.UGent .be...
I'm using PHP 4.3 and APACHE2.0. I have a website that requires people
to log in before they can download files from my website. A person is
logged in if there is a session-variable $logged_in set to TRUE.

How can I prevent people from downloading a file (f.e. myfile.doc)
without being logged in when they know the direct link to the file
(http://www.mysite.com/somedir/myfile.doc)?

Putting the file in an obscure place by working with random numbers
(http://www.mysite.com/13ds5fd1g/myfile.doc) is not a solution for me.

The other solution of using a scriptfile like download.php as a gateway
to serve the file and restricting all other access to the directory with
a .htaccess file is also not an option, because this doesn't work
perfectly in older brwosers that don't handle the headers(Content ...)
correctly.

I would like Apache to handle this. If one requests a file in a certain
directory, I want apache to check if the user is logged in or not by
calling a file like download.php. If he is logged in than the requested
file is served by apache (not by the download.php file acting as a
gateway). I was thinking to use mod_rewrite, but I don't think this
works because it will keep on rewriting the url to go to the
download.php file. Even if I'm coming from that place. Also using
HTTP_REFERER is not a good idea because a lot of firewalls prevent this
information.

Is this simply impossible? Can I use mod_rewrite for this and how? Are
there other possibilities?

Thanks
Jan Bols

Jul 17 '05 #3
Jan Bols <ja*@ivpv.ugent .be> wrote in message news:<bq******* ***@gaudi2.UGen t.be>...
I'm using PHP 4.3 and APACHE2.0. I have a website that requires people
to log in before they can download files from my website. A person is
logged in if there is a session-variable $logged_in set to TRUE.
<snip>
The other solution of using a scriptfile like download.php as a gateway
to serve the file and restricting
AFAIK, this is the right way. Just check the logged-in flag in your
download.php file (ie, session variable for logged-in)

all other access to the directory with
a .htaccess file is also not an option, because this doesn't work
perfectly in older brwosers that don't handle the headers(Content ...)
correctly.

I would like Apache to handle this. If one requests a file in a certain
directory, I want apache to check if the user is logged in or not by
calling a file like download.php. If he is logged in than the requested
file is served by apache (not by the download.php file acting as a
gateway). I was thinking to use mod_rewrite, but I don't think this
works because it will keep on rewriting the url to go to the
download.php file. Even if I'm coming from that place. Also using
HTTP_REFERER is not a good idea because a lot of firewalls prevent this
information.

Is this simply impossible? Can I use mod_rewrite for this and how? Are
there other possibilities?


I couldn't understand the reason to go for mod_rewrite..

--
"If there is a God, he must be a sadist!"
Email: rrjanbiah-at-Y!com
Jul 17 '05 #4

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
3
2642
php page will not process link to diff page
by: Eric W. Holzapfel | last post by:
Hello PHPers, I have just installed RH Linux ES 3.0 (basic) kernel 2.4.21-9.EL, i686, Apache 2.0.X, and php 4.2.X. I have made no changes to the php.ini. I am trying to use the following page (code listed here) to click on link, and display 1 of three pages. The code does not seem to work, it only shows the "else" condition of the php code, which is page: "stuff.php". What do I need to do to my apache/php config to get this to...
PHP
3
2903
Preventing direct access to web content
by: CJM | last post by:
I have a intranet-based system running IIS5/6. We have a secure logon feature whereby certain users can access restricted content. While most of this is ASP pages, and thus we can control that, some of the content is served directly as a PDF or plain html (automatically generated from MSOffice!). If a user discovers the location of this content, he access it directly through the browser (bypassing the menus), which rather makes a mockery...
HTML / CSS
3
2060
Help with bloggers and direct link to images
by: Steve Kreis | last post by:
Somebody help. The bloggers are driving me nuts. They are direct linking to images on my site thus driving up my traffic to an artificially high level. What I would like to do is prevent them from putting direct links to images in their blog. I don't care if they steal the image. They can even right click and save, if they want -- it's the linking that bothers me. Short of encrypting all 450 pages, is there any other way out? Steve
HTML / CSS
4
3373
Hacking Prevention
by: leke | last post by:
I have been lurking here for a while and I have noticed some people writing about problems with their sites being hacked. As I am fairly new to this scene so I don't want to fall into vulnerable coding styles early on or even worse have my first site used as some type of porthole for spammers. Can anyone recommend a good book or online resource about web site hacking prevention. Even something along the lines of how to hack web sites...
PHP
0
976
Direct link into calendar control
by: Peer K | last post by:
Hello, This is driving me nuts! It's a bit hard to explain so please bare with me. I have an ASP.NET page that uses the calendar control. I use DayRender to set specific days selectable depending on data in a database. Works fine. I want to be able to give a user a direct link that shows content for a specified date - AND sets the calendar control to that date. I've done this by making a direct link in the form...
ASP.NET
2
4726
deny direct access to a single folder with .htaccess
by: psion | last post by:
Hello, I have not found a clear way of doing what I want and resort to posting my question. I have a php file that will link to pdf files from a directory called pdf (within the apache htdocs folder). The way I have it coded now, the address to the pdf shows in the address bar, and a user can modify just the file name to read other files, which is something I don't want. I am trying to deny access to this pdf directory to anyone except...
PHP
7
3596
Servlet SQLException Communication link failure
by: bylum | last post by:
Servlet SQLException Communication link failure java howto i can't connect jsp and database(mysql). This is the exception: exception org.apache.jasper.JasperException: javax.servlet.ServletException: java.sql.SQLException: Communication link failure: java.io.IOException, underlying cause: Unexpected end of input stream
Java
11
8123
Symbolic Link
by: mosscliffe | last post by:
I am trying to create a link to a file, which I can then use in an HTML page. The system is Linux on a hosted web service, running python 2.3. Other than that I have no knowledge of the system. The link is created OK, but when I try to use it as filename for the IMG TAG, it does not get displayed. The page source of the created page is pointing to the link as temp/test1.jpg
Python
14
8459
Frinavale
IE8 "Data Execution Prevention" error thrown when setting hidden field value
by: Frinavale | last post by:
I've been trying to test my web application using Internet Explorer 8 (release candidate 1) and have been experiencing some major problems. I'm hoping you can help me with this one. I have a JavaScript Object that tracks the horizontal scroll position of a <div> element on the page. It sets a hidden field so that when the page is submitted to the server, the server code is able to retrieve the current scroll position. When the page is sent...
Javascript
0
8370
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
General
0
8811
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
C / C++
0
8704
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
Online Marketing
0
8590
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
General
0
7302
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
Career Advice
1
6160
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
Microsoft Access / VBA
0
5620
Couldn’t get equations in html when convert word .docx file to html file in C#.
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
C# / C Sharp
0
4291
Windows Forms - .Net 8.0
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
Visual Basic .NET
2
1591
bsmnconsultancy
Comprehensive Guide to Website Development in Toronto: Expert Insights from BSMN Consultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
General

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us