473,786 Members | 2,806 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

How to secure downloads for authenticated users?

I have files on my Apache web server that are NOT in publicly accessible space.
I want to make these files available for download only to authenticated users.

I currently use a download script that is accessed from an SSL-encrypted page
(that the user arrives at after authenticating) . There are links in this page
that initiate the different file downloads by passing a variable (name of the
directory and file) to the download script.

It works fine, but if someone were to guess the full path of the file on the web
server, the download could be initiated without coming from the SSL-encrypted
page. I could check referrer, but I'd rather not rely on that.

How can I ensure that my download script is only initiated from the encrypted
page?

Here is the download script (which IS in publicly-accessible space):

$info = trim($_GET['fileinfo']); //a 'directory.file name.extension' is passed
in
$info_array = explode(".", $info);
$directory = $info_array[0]."/";
$filename = $info_array[1].".".$info_arra y[2];
$extension = $info_array[2];
$dlfile = "/home/user-directory/private-data/".$directory.$f ilename;
header("Content-Disposition: attachment; filename=".$fil ename);
header('Content-type: application/'.$extension);
header("Content-Length: ".filesize($dlf ile));
readfile($dlfil e);

If someone were to enter a URL like this:

http://www.example.com/download-scri...ory.myfile.zip

then all the SSL is for nothing...

I could use htaccess to protect the directory that the download script is in,
but that means the user has to authenticate twice when trying to download
something.

And if I try to do this:

session_start() ;
if ($_SESSION['uid'] == "valid_user ")
{
//execute script
}
else
{
exit;
}

the download barfs.

How do I make my downloads secure?

Thanks in advance

Aug 28 '06 #1
2 3255
I think this is as good as it gets...

/*
An Internal Server Error will be received if 'fileinfo' is passed manually
to this script (user types the URL with variables). But this protection is
only available if script resides in /cgi-bin. If this script must reside
outside of /cgi-bin, try password protecting the directory with htaccess.
*/
$info = trim($_GET['info']);
$info_array = explode(".", $info);
$directory = $info_array[0]."/";
$filename = $info_array[1].".".$info_arra y[2];
$extension = $info_array[2];
$filedownload = "/home/username/nonpublic/".$directory.$f ilename;
header("Content-Disposition: attachment; filename=".$fil ename);
header('Content-type: application/'.$extension);
header("Content-Length: ".filesize($fil edownload));
readfile($filed ownload);

Regardless of where this script resides, I assume the URL (and variables) can
easilly be sniffed on the wire when the request is made.

Can username/password also be sniffed from user entries in the dialog generated
by htaccess? If so, the only way to ensure any security over who downloads what
is to have this script in /cgi-bin.

Is this correct?

Aug 28 '06 #2
This will not work either, at least not in IE (though it does work in FF):

header("Locatio n:https://$username:$p*** ****@secure.exa mple.com/username/mydirectory/download-script.php");

because, as we all know...

Microsoft Knowledge Base Article 834489 explains that a security update (issued
back in 2004) has modified the default behavior of Internet Explorer for
handling user information in HTTP and in HTTPS URLs.

The 832894 security update removed support for handling HTTP and HTTPS URLs in
the form of:

http(s)://username:passwo rd@server/resource.ext

in Internet Explorer and Windows Explorer. After you install the 832894 security
update, Windows Explorer and Internet Explorer do not open HTTP or HTTPS sites
by using a URL that includes user information.

http://support.microsoft.com/default.aspx?scid=kb;[LN];834489

Aug 29 '06 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
1
3697
Secure downloads - how to link to file?
by: deko | last post by:
I use a download script to allow users to download files that are not in a publicly accessible directory. The files should only be downloadable from a secure page which only authenticated users have access to. But how do I prevent someone from running the download script? The hyperlinks in the secure page point to the download script which is in a public directory. If the script is not in a public directory, the links fail. The...
PHP
0
902
SSL site administration secure?
by: jaekim | last post by:
Hi. I have this web site where I administer users though a SSL page authenticated by form authentication. Now, I need to administer some credit card information taken from the user, and I am wondering if this is secure enough. Credit card information are all stored in a database encrypted, but to administer the credit card information entered, they are going to be decrypted and shown on a SSL page.
ASP.NET
4
2656
Mixing secure and unsecure pages with Forms Authentication
by: MR. UNDERHILL | last post by:
I want to use forms authentication on my website. Looking at the documentation, I create a sample site for testing. One of my requirements is to ensure that SOME pages required an authenticated user and some others, like the home page is not required. I specified the <deny users="?" /> on the web.config, but this is causing ALL pages require the authentication. How can I mix both, without loosing the web.config setup? I know that I can...
ASP.NET
2
1308
How to secure a webservice - could some expert advise?
by: thomas | last post by:
Hi everybody, Here is the scenario: webservice and a windows client application. Requirements: 1. Only authenticated and authorized users shall be able to call web methods. 2. User names or passwords shall never be sent over http. Constraints:
.NET Framework
0
2578
secure web service authentication using asp.net membership provide
by: =?Utf-8?B?SmVmZiBCZWVt?= | last post by:
We have an asp.net 2.0 forms-authenticated application that uses the membership and role providers built into the framework. We already have an administration section in the application for those in certain "Roles". However, my employer has asked me if there is a secure way to create a smart client to manage users, roles, and other parts of the site configuration. I have only limited experience in web development and even less with web...
.NET Framework
2
1799
Authentication for File downloads
by: davidkruger | last post by:
Hi, I have a script setup that is used for reading binary data from files that is stored in a mysql blob field. This is not a question regarding the mysql and data accessing, but what I am wanting to do is instead of just being able to pass the file ID in the URL without authenticating to the page prior, that page will return with a message saying not logged in, and not allowing the file to be accessed/ downloaded from the webpage. The...
PHP
14
1585
secure file uploads and downloads
by: Dave | last post by:
Hello, Not sure if this is php related or not, but i'd like to have certain users who have the ability to upload files to my site, and others to download files. I thought about .htaccess and basic authentication, but then i thought that's not very secure i was wondering if there was a php solution, something that splits user uploads and downloads in to two separate sections? I checked out some scripts on phpbuilder.com but they don't seem...
PHP
1
3133
How to secure a database ...?
by: Annonymous Coward | last post by:
I am writing an application which I will deploy to my clients. It is important for security, support, IP reasons etc, that the users are not able to access my databse schema (i.e. view/modify/run procs etc). What do I have to do to ensure that users will not be able to access my database? Also, I am thinking of installing SSE as a seperate instance with a unique name - the idea being that it keeps my database away from any that may...
Microsoft SQL Server
7
2833
Missing Web log Entry's for file downloads using ashx
by: =?Utf-8?B?QU9UWCBTYW4gQW50b25pbw==?= | last post by:
Hi, I have been using the code (some of it has been removed for simplicity) below to allow authenticated (using ASP.NET membership database) users to get a file from their archive area. It seems to work fine, however I noticed that no web log entry is added when a successful download occurs (normally a 200 HTTP status code, however, if there is an authorization failure, it gets logged). I have a logging routine that logs a successful...
ASP.NET
0
10164
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
Online Marketing
1
10110
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
Windows Server
0
9962
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
General
0
8992
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
Career Advice
0
6748
Couldn’t get equations in html when convert word .docx file to html file in C#.
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
C# / C Sharp
0
5398
Trying to create a lan-to-lan vpn between two differents networks
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
Networking - Hardware / Configuration
1
4067
transfer the data from one system to another through ip address
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
C# / C Sharp
2
3670
muto222
How to add payments to a PHP MySQL app.
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
PHP
3
2894
bsmnconsultancy
Comprehensive Guide to Website Development in Toronto: Expert Insights from BSMN Consultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
General

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us