You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Jan Bols <ja...@ivpv.ugent.be> on 2003/12/05 16:46:54 UTC
[users@httpd] direct link prevention with PHP
I'm using PHP 4.3 and APACHE2.0. I have a website that requires people
to log in before they can download files from my website. A person is
logged in if there is a session-variable $logged_in set to TRUE.
How can I prevent people from downloading a file (f.e. myfile.doc)
without being logged in when they know the direct link to the file
(http://www.mysite.com/somedir/myfile.doc)?
Putting the file in an obscure place by working with random numbers
(http://www.mysite.com/13ds5fd1g/myfile.doc) is not a solution for me.
The other solution of using a scriptfile like download.php as a gateway
to serve the file and restricting all other access to the directory with
a .htaccess file is also not an option, because this doesn't work
perfectly in older brwosers that don't handle the headers(Content...)
correctly.
I would like Apache to handle this. If one requests a file in a certain
directory, I want apache to check if the user is logged in or not by
calling a file like download.php. If he is logged in than the requested
file is served by apache (not by the download.php file acting as a
gateway). I was thinking to use mod_rewrite, but I don't think this
works because it will keep on rewriting the url to go to the
download.php file. Even if I'm coming from that place. Also using
HTTP_REFERER is not a good idea because a lot of firewalls prevent this
information.
Is this simply impossible? Can I use mod_rewrite for this and how? Are
there other possibilities?
Thanks
Jan Bols
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] direct link prevention with PHP
Posted by Kyle Dent <kd...@seaglass.com>.
On Fri, 5 Dec 2003, Jan Bols wrote:
> I'm using PHP 4.3 and APACHE2.0. I have a website that requires people
> to log in before they can download files from my website. A person is
> logged in if there is a session-variable $logged_in set to TRUE.
>
> How can I prevent people from downloading a file (f.e. myfile.doc)
> without being logged in when they know the direct link to the file
> (http://www.mysite.com/somedir/myfile.doc)?
>
> Putting the file in an obscure place by working with random numbers
> (http://www.mysite.com/13ds5fd1g/myfile.doc) is not a solution for me.
>
> The other solution of using a scriptfile like download.php as a gateway
> to serve the file and restricting all other access to the directory with
> a .htaccess file is also not an option, because this doesn't work
> perfectly in older brwosers that don't handle the headers(Content...)
> correctly.
huh?
> I would like Apache to handle this. If one requests a file in a certain
> directory, I want apache to check if the user is logged in or not by
> calling a file like download.php. If he is logged in than the requested
> file is served by apache (not by the download.php file acting as a
> gateway). I was thinking to use mod_rewrite, but I don't think this
> works because it will keep on rewriting the url to go to the
> download.php file. Even if I'm coming from that place. Also using
> HTTP_REFERER is not a good idea because a lot of firewalls prevent this
> information.
>
> Is this simply impossible? Can I use mod_rewrite for this and how? Are
> there other possibilities?
If you don't want to do this with the actual authentication
mechanisms available for the web server, you can do it within
your script. Place the protected file outside of your web
accessible files. The link to the file should actually be a link
to your script. When your script is invoked, it checks the
authentication status. If it checks out, your script opens the
file, sends the correct MIME headers followed by the contents of
the file.
Kyle
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] direct link prevention with PHP
Posted by Saqib Ali <sa...@seagate.com>.
Hello Jan
the following may be helpful
http://www.pubcookie.org/
Saqib Ali
-------------
http://validate.sf.net <---- HTML/XHTML/DocBook Validator
On Fri, 5 Dec 2003, Jan Bols wrote:
> I'm using PHP 4.3 and APACHE2.0. I have a website that requires people
> to log in before they can download files from my website. A person is
> logged in if there is a session-variable $logged_in set to TRUE.
>
> How can I prevent people from downloading a file (f.e. myfile.doc)
> without being logged in when they know the direct link to the file
> (http://www.mysite.com/somedir/myfile.doc)?
>
> Putting the file in an obscure place by working with random numbers
> (http://www.mysite.com/13ds5fd1g/myfile.doc) is not a solution for me.
>
> The other solution of using a scriptfile like download.php as a gateway
> to serve the file and restricting all other access to the directory with
> a .htaccess file is also not an option, because this doesn't work
> perfectly in older brwosers that don't handle the headers(Content...)
> correctly.
>
> I would like Apache to handle this. If one requests a file in a certain
> directory, I want apache to check if the user is logged in or not by
> calling a file like download.php. If he is logged in than the requested
> file is served by apache (not by the download.php file acting as a
> gateway). I was thinking to use mod_rewrite, but I don't think this
> works because it will keep on rewriting the url to go to the
> download.php file. Even if I'm coming from that place. Also using
> HTTP_REFERER is not a good idea because a lot of firewalls prevent this
> information.
>
> Is this simply impossible? Can I use mod_rewrite for this and how? Are
> there other possibilities?
>
> Thanks
> Jan Bols
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] direct link prevention with PHP
Posted by Robert Andersson <ro...@profundis.nu>.
Jan Bols
> I was thinking to use mod_rewrite, but I don't think this works because it
> will keep on rewriting the url to go to the download.php file.
I think this would work if you place a PHP script somewhere outside your
"download directory", that returns a success status (eg. 200) if the user is
authorized and failure (eg. 404) if the user isn't.
Then use mod_rewrite to perform a sub request to see if
"/some/path/download.php" exists, and if it doesn't, disallow the request.
I don't know if this can work (haven't slept for 30+ hours :/ ), and this
pseudo example certainly doesn't, but I hope you get the idea:
<Directory /path/to/docroot/download>
RewriteEngine On
RewriteCond /scripts/valid-session.php !-F
RewriteRule ^(.*) /youre-not-authorized.php?file=$1
</Directory>
I don't know if enough info will be available to the valid-session.php
script for it to be able to authenticate the user, though. With clever
tweaking, you might be able to get around it.
Another, simpler method, might be to set a client cookie, which easily could
be checked with mod_rewrite (I think).
Regards,
Robert Andersson
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org