By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
424,963 Members | 1,751 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 424,963 IT Pros & Developers. It's quick & easy.

direct link prevention on apache

P: n/a
I'm using PHP 4.3 and APACHE2.0. I have a website that requires people
to log in before they can download files from my website. A person is
logged in if there is a session-variable $logged_in set to TRUE.

How can I prevent people from downloading a file (f.e. myfile.doc)
without being logged in when they know the direct link to the file
(http://www.mysite.com/somedir/myfile.doc)?

Putting the file in an obscure place by working with random numbers
(http://www.mysite.com/13ds5fd1g/myfile.doc) is not a solution for me.

The other solution of using a scriptfile like download.php as a gateway
to serve the file and restricting all other access to the directory with
a .htaccess file is also not an option, because this doesn't work
perfectly in older brwosers that don't handle the headers(Content...)
correctly.

I would like Apache to handle this. If one requests a file in a certain
directory, I want apache to check if the user is logged in or not by
calling a file like download.php. If he is logged in than the requested
file is served by apache (not by the download.php file acting as a
gateway). I was thinking to use mod_rewrite, but I don't think this
works because it will keep on rewriting the url to go to the
download.php file. Even if I'm coming from that place. Also using
HTTP_REFERER is not a good idea because a lot of firewalls prevent this
information.

Is this simply impossible? Can I use mod_rewrite for this and how? Are
there other possibilities?

Thanks
Jan Bols

Jul 17 '05 #1
Share this Question
Share on Google+
3 Replies


P: n/a
Jan Bols wrote:
I'm using PHP 4.3 and APACHE2.0. I have a website that requires people
to log in before they can download files from my website. A person is
logged in if there is a session-variable $logged_in set to TRUE.

How can I prevent people from downloading a file (f.e. myfile.doc)
without being logged in when they know the direct link to the file
(http://www.mysite.com/somedir/myfile.doc)?
Don't offer a direct link to the file. Or, alternatively, preprocess
every request for the file through a module (or mod_perl or
mod_[whatever] function that checks for a certain cookie or whatever you
use for login credentials). You would make this a rule in httpd.conf or
..htaccess.
Putting the file in an obscure place by working with random numbers
(http://www.mysite.com/13ds5fd1g/myfile.doc) is not a solution for me.
Good. That's lame.
The other solution of using a scriptfile like download.php as a gateway
to serve the file and restricting all other access to the directory with
a .htaccess file is also not an option, because this doesn't work
perfectly in older brwosers that don't handle the headers(Content...)
correctly.
What browsers are you talking about? Ones dating back to 1995? If you
form your headers correctly and spit out the right MIME type and
CVontent-length, the file will get a name properly in any major browser
made from 1997 on. If it's not working for you, it's your bug. It seems
to work well enough for CNet, Tucows and a zillion other big download
sites, so what are you concerned about? Why do you care about users with
ancient, broken browsers? Isn't 6 years a long enough cutoff age for
this kind of feature support?
I would like Apache to handle this. If one requests a file in a certain
directory, I want apache to check if the user is logged in or not by
calling a file like download.php. If he is logged in than the requested
file is served by apache (not by the download.php file acting as a
gateway). I was thinking to use mod_rewrite, but I don't think this
works because it will keep on rewriting the url to go to the
download.php file. Even if I'm coming from that place. Also using
HTTP_REFERER is not a good idea because a lot of firewalls prevent this
information.


A lot of firewalls block referrers? Or a few run at home by lunatics?
regardless, referers really aren't the best way to do it anyway.

In any case, forget mod_rewrite for the moment. Just set the *.doc file
extension in a certain directory to execute as PHP in your httpd.conf or
..htaccess, and have mydoc.doc be a PHP script that checks login creds
and pipes out the .doc file contents. Or if you want unique filenames,
then add mod_rewrite to the mix so that a request for
/download/foo123.doc executes download.php and treats foo123 as an argument.

-sk

Jul 17 '05 #2

P: n/a
Tough nut to crack. All I can think of is to dynamically adds the client's
IP address to a .htaccess file, then redirect the browser to the URL
pointing to the file. The IP address should be saved to a session variable
so that you can remove it from .htaccess when the session expires.

Uzytkownik "Jan Bols" <ja*@ivpv.ugent.be> napisal w wiadomosci
news:bq**********@gaudi2.UGent.be...
I'm using PHP 4.3 and APACHE2.0. I have a website that requires people
to log in before they can download files from my website. A person is
logged in if there is a session-variable $logged_in set to TRUE.

How can I prevent people from downloading a file (f.e. myfile.doc)
without being logged in when they know the direct link to the file
(http://www.mysite.com/somedir/myfile.doc)?

Putting the file in an obscure place by working with random numbers
(http://www.mysite.com/13ds5fd1g/myfile.doc) is not a solution for me.

The other solution of using a scriptfile like download.php as a gateway
to serve the file and restricting all other access to the directory with
a .htaccess file is also not an option, because this doesn't work
perfectly in older brwosers that don't handle the headers(Content...)
correctly.

I would like Apache to handle this. If one requests a file in a certain
directory, I want apache to check if the user is logged in or not by
calling a file like download.php. If he is logged in than the requested
file is served by apache (not by the download.php file acting as a
gateway). I was thinking to use mod_rewrite, but I don't think this
works because it will keep on rewriting the url to go to the
download.php file. Even if I'm coming from that place. Also using
HTTP_REFERER is not a good idea because a lot of firewalls prevent this
information.

Is this simply impossible? Can I use mod_rewrite for this and how? Are
there other possibilities?

Thanks
Jan Bols

Jul 17 '05 #3

P: n/a
Jan Bols <ja*@ivpv.ugent.be> wrote in message news:<bq**********@gaudi2.UGent.be>...
I'm using PHP 4.3 and APACHE2.0. I have a website that requires people
to log in before they can download files from my website. A person is
logged in if there is a session-variable $logged_in set to TRUE.
<snip>
The other solution of using a scriptfile like download.php as a gateway
to serve the file and restricting
AFAIK, this is the right way. Just check the logged-in flag in your
download.php file (ie, session variable for logged-in)

all other access to the directory with
a .htaccess file is also not an option, because this doesn't work
perfectly in older brwosers that don't handle the headers(Content...)
correctly.

I would like Apache to handle this. If one requests a file in a certain
directory, I want apache to check if the user is logged in or not by
calling a file like download.php. If he is logged in than the requested
file is served by apache (not by the download.php file acting as a
gateway). I was thinking to use mod_rewrite, but I don't think this
works because it will keep on rewriting the url to go to the
download.php file. Even if I'm coming from that place. Also using
HTTP_REFERER is not a good idea because a lot of firewalls prevent this
information.

Is this simply impossible? Can I use mod_rewrite for this and how? Are
there other possibilities?


I couldn't understand the reason to go for mod_rewrite..

--
"If there is a God, he must be a sadist!"
Email: rrjanbiah-at-Y!com
Jul 17 '05 #4

This discussion thread is closed

Replies have been disabled for this discussion.