I have files on my Apache web server that are NOT in publicly accessible space.
I want to make these files available for download only to authenticated users.
I currently use a download script that is accessed from an SSL-encrypted page
(that the user arrives at after authenticating). There are links in this page
that initiate the different file downloads by passing a variable (name of the
directory and file) to the download script.
It works fine, but if someone were to guess the full path of the file on the web
server, the download could be initiated without coming from the SSL-encrypted
page. I could check referrer, but I'd rather not rely on that.
How can I ensure that my download script is only initiated from the encrypted
page?
Here is the download script (which IS in publicly-accessible space):
$info = trim($_GET['fileinfo']); //a 'directory.filename.extension' is passed
in
$info_array = explode(".", $info);
$directory = $info_array[0]."/";
$filename = $info_array[1].".".$info_array[2];
$extension = $info_array[2];
$dlfile = "/home/user-directory/private-data/".$directory.$filename;
header("Content-Disposition: attachment; filename=".$filename);
header('Content-type: application/'.$extension);
header("Content-Length: ".filesize($dlfile));
readfile($dlfile);
If someone were to enter a URL like this:
http://www.example.com/download-scri...ory.myfile.zip
then all the SSL is for nothing...
I could use htaccess to protect the directory that the download script is in,
but that means the user has to authenticate twice when trying to download
something.
And if I try to do this:
session_start();
if ($_SESSION['uid'] == "valid_user")
{
//execute script
}
else
{
exit;
}
the download barfs.
How do I make my downloads secure?
Thanks in advance
