473,232 Members | 1,417 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,232 software developers and data experts.

Protect download files

Im developping an application that needs to show some videos, but in
a protected envinroment. Any user must be authenticated to see the
videos. But for example, if anyone know the path of the videos, can
access directly to this site and download it without authentication.

If I write in the location bar the url of a video, I can download
without problem because the application cannot test if the user is
already authenticated or not. Ive read something about RedirectMatch
and it works well but now the users cannot see the videos.

I try to write an example:

..- #I write this rule in the httpd.conf
RedirectMatch (.*)\.avi$
/myapplication/tools/downloadfile.php?filename=$1

With this rule I redirect all the requests for the video files include
the request of a window media player, but I dont want to do this.
When I show the video directly on the web, I dont need to redirect
but when is a direct request from url to download the file, I must
check if the user is authenticated.

I hope that you can understand my bad english.

Fran Garca

Jul 22 '05 #1
6 3520
JDS
On Fri, 22 Jul 2005 05:11:04 -0700, fgarciarico wrote:
If I write in the location bar the url of a video, I can download
without problem because the application cannot test if the user is
already authenticated or not. Ive read something about RedirectMatch
and it works well but now the users cannot see the videos.


Do one of the following:

1) Use Basic Auth in the .htaccess file
Example: http://httpd.apache.org/docs/1.3/howto/auth.html

2) Use Basic Auth within PHP
http://us2.php.net/features.http-auth

I recommend number (1). Of course, the trouble with that is that it is
outside any application logic.

You could try putting any .avi (or other protected files) outside the http
virtual directory path and then create a PHP shell app that just gets and
downloads the file for you. (I know you said you are trying something
like this). To do this you will need to use

header("Content-type: blah/blah");

where blah/blah is the correct content type

The important thing here is to put the .avi files (any protected files)
OUTSIDE the http virtual directory path! So that one cannot just type in
a URL and get the file.
--
JDS | je*****@example.invalid
| http://www.newtnotes.com
DJMBS | http://newtnotes.com/doctor-jeff-master-brainsurgeon/

Jul 22 '05 #2


JDS wrote:
On Fri, 22 Jul 2005 05:11:04 -0700, fgarciarico wrote:
If I write in the location bar the url of a video, I can download
without problem because the application cannot test if the user is
already authenticated or not. Ive read something about RedirectMatch
and it works well but now the users cannot see the videos.


Do one of the following:

1) Use Basic Auth in the .htaccess file
Example: http://httpd.apache.org/docs/1.3/howto/auth.html

2) Use Basic Auth within PHP
http://us2.php.net/features.http-auth

I recommend number (1). Of course, the trouble with that is that it is
outside any application logic.

You could try putting any .avi (or other protected files) outside the http
virtual directory path and then create a PHP shell app that just gets and
downloads the file for you. (I know you said you are trying something
like this). To do this you will need to use

header("Content-type: blah/blah");

where blah/blah is the correct content type

The important thing here is to put the .avi files (any protected files)
OUTSIDE the http virtual directory path! So that one cannot just type in
a URL and get the file.
--
JDS | je*****@example.invalid
| http://www.newtnotes.com
DJMBS | http://newtnotes.com/doctor-jeff-master-brainsurgeon/

put a .htaccess in your video dir containing the line:

deny from all

this will prevent any browser access in that dir

now deliver the videos to your users with a php script that

1. checks the credentials and
2. if ok, delivers the video via the servers filesystem, using i.e.
readfile (which is not affected by .htaccess)

micha

Jul 23 '05 #3
deliver_video.php has to be outside the video dir of course

micha

Jul 23 '05 #4
chotiwallah wrote:

JDS wrote:
On Fri, 22 Jul 2005 05:11:04 -0700, fgarciarico wrote:

If I write in the location bar the url of a video, I can download
without problem because the application cannot test if the user is
already authenticated or not. Ive read something about RedirectMatch
and it works well but now the users cannot see the videos.


Do one of the following:

1) Use Basic Auth in the .htaccess file
Example: http://httpd.apache.org/docs/1.3/howto/auth.html

2) Use Basic Auth within PHP
http://us2.php.net/features.http-auth

I recommend number (1). Of course, the trouble with that is that it is
outside any application logic.

You could try putting any .avi (or other protected files) outside the http
virtual directory path and then create a PHP shell app that just gets and
downloads the file for you. (I know you said you are trying something
like this). To do this you will need to use

header("Content-type: blah/blah");

where blah/blah is the correct content type

The important thing here is to put the .avi files (any protected files)
OUTSIDE the http virtual directory path! So that one cannot just type in
a URL and get the file.
--
JDS | je*****@example.invalid
| http://www.newtnotes.com
DJMBS | http://newtnotes.com/doctor-jeff-master-brainsurgeon/


put a .htaccess in your video dir containing the line:

deny from all

this will prevent any browser access in that dir

now deliver the videos to your users with a php script that

1. checks the credentials and
2. if ok, delivers the video via the servers filesystem, using i.e.
readfile (which is not affected by .htaccess)

micha


Or, better yet, put them below the document_root. That way you're not depending
on the .htaccess.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Jul 23 '05 #5
Ive thought something like that but I must show the video files into
a media player object in my web pages and I think that if the video
file isnt on a valid url, I cannot show it. Or?

Jul 26 '05 #6
JDS
On Tue, 26 Jul 2005 00:30:44 -0700, fgarciarico wrote:
Ive thought something like that but I must show the video files into
a media player object in my web pages and I think that if the video
file isnt on a valid url, I cannot show it. Or?


You can use a PHP file as the video file. Just send the proper header.
For example, I can use a PHP script as a JPEG or GIF image if I send the
proper header:

header("Content-type: image/jpeg");

AND if the content following is an actual JPEG image.

For example, say I have an image, "image.jpg". I can read it into the PHP
script using one of the binary-safe file reading functions in PHP:

(I think this example will work)

getimage.php:

<?
/* ...Include authentication and security stuff here...*/

$file = "image.jpg";
$file_contents = file_get_contents($file);
header("Content-type: image/jpeg");
print $file_contents;
exit;
?>

Now include getimage.php in your HTML page:

<p>
<img src="getimage.php">
</p>
You should be able to do the same with a video file. Using the video
file's MIME type, of course, in the header.

later...

--
JDS | je*****@example.invalid
| http://www.newtnotes.com
DJMBS | http://newtnotes.com/doctor-jeff-master-brainsurgeon/

Jul 26 '05 #7

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

3
by: benjamin | last post by:
A pygame/python game resource question ###################################### I wander whether there is any possibility to compile a bunch of resources for a program, like images and soundfiles...
11
by: LarryM | last post by:
Hi, NB, not to stop capturing the single displayed Image, but to stop downloading the entire image directory. (In my Website you will do a search, and get some thumbnails, and these can be...
2
by: travelling_nerd | last post by:
Folks: I have some zip files I'd like to serve to authenticated users on my site, but would like to prevent unauthorized users from using an absolute path to get to these zip files. For example...
5
by: Brian Madden | last post by:
Hello All, I have what I thought would be a simple problem although I've been searching for a few hours with no luck. I have several PDF and MPG files I would like to provide to users to...
3
by: Hongbo | last post by:
Hi, We have a web site which needs user to login. After login, there are some files available for download on some pages. A typical link of such file is like this one:...
3
by: Miro | last post by:
Why Password protect an MDB when someone can google and get a hack? Wondering if anyone else has thought of this and just said "oh well"... I plan to password protect an MDB where I have some...
12
by: =?Utf-8?B?am9uaWdy?= | last post by:
I wrote a simple VB.NET application that imports and edits CSV files. Now I’d like to “lock” the raw (pre-import) CSV files so these cannot be opened separately. It is not high-sensitive...
22
by: teejayem | last post by:
Hi, I am new to programming with databases and was wanting some help. Is there any way to password protect an access database and access sent sql commands to it via vb.net code? Any help...
4
by: Alan Silver | last post by:
Hello, I am writing a site where people can buy ebooks. I want to have a system whereby they can download the file(s) once they have paid, but (obviously) not before. I also want some sort of...
3
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 3 Jan 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). For other local times, please check World Time Buddy In...
0
by: abbasky | last post by:
### Vandf component communication method one: data sharing ​ Vandf components can achieve data exchange through data sharing, state sharing, events, and other methods. Vandf's data exchange method...
0
by: fareedcanada | last post by:
Hello I am trying to split number on their count. suppose i have 121314151617 (12cnt) then number should be split like 12,13,14,15,16,17 and if 11314151617 (11cnt) then should be split like...
0
by: stefan129 | last post by:
Hey forum members, I'm exploring options for SSL certificates for multiple domains. Has anyone had experience with multi-domain SSL certificates? Any recommendations on reliable providers or specific...
0
Git
by: egorbl4 | last post by:
Скачал я git, хотел начать настройку, а там вылезло вот это Что это? Что мне с этим делать? ...
0
by: MeoLessi9 | last post by:
I have VirtualBox installed on Windows 11 and now I would like to install Kali on a virtual machine. However, on the official website, I see two options: "Installer images" and "Virtual machines"....
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, youll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: Aftab Ahmad | last post by:
Hello Experts! I have written a code in MS Access for a cmd called "WhatsApp Message" to open WhatsApp using that very code but the problem is that it gives a popup message everytime I clicked on...
0
by: Aftab Ahmad | last post by:
So, I have written a code for a cmd called "Send WhatsApp Message" to open and send WhatsApp messaage. The code is given below. Dim IE As Object Set IE =...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.