Protect download files

Re: Protect download files

On Fri, 22 Jul 2005 05:11:04 -0700, fgarciarico wrote:
[color=blue]
> If I write in the location bar the url of a video, I can download
> without problem because the application cannot test if the user is
> already authenticated or not. I´ve read something about RedirectMatch
> and it works well but now the users cannot see the videos.[/color]

Do one of the following:

1) Use Basic Auth in the .htaccess file
Example: http://httpd.apache.org/docs/1.3/howto/auth.html

2) Use Basic Auth within PHP


I recommend number (1). Of course, the trouble with that is that it is
outside any application logic.

You could try putting any .avi (or other protected files) outside the http
virtual directory path and then create a PHP shell app that just gets and
downloads the file for you. (I know you said you are trying something
like this). To do this you will need to use

header("Content-type: blah/blah");

where blah/blah is the correct content type

The important thing here is to put the .avi files (any protected files)
OUTSIDE the http virtual directory path! So that one cannot just type in
a URL and get the file.


--
JDS | jeffrey@example .invalid
| http://www.newtnotes.com
DJMBS | http://newtnotes.com/doctor-jeff-master-brainsurgeon/

Re: Protect download files



JDS wrote:[color=blue]
> On Fri, 22 Jul 2005 05:11:04 -0700, fgarciarico wrote:
>[color=green]
> > If I write in the location bar the url of a video, I can download
> > without problem because the application cannot test if the user is
> > already authenticated or not. I´ve read something about RedirectMatch
> > and it works well but now the users cannot see the videos.[/color]
>
> Do one of the following:
>
> 1) Use Basic Auth in the .htaccess file
> Example: http://httpd.apache.org/docs/1.3/howto/auth.html
>
> 2) Use Basic Auth within PHP
> http://us2.php.net/features.http-auth
>
> I recommend number (1). Of course, the trouble with that is that it is
> outside any application logic.
>
> You could try putting any .avi (or other protected files) outside the http
> virtual directory path and then create a PHP shell app that just gets and
> downloads the file for you. (I know you said you are trying something
> like this). To do this you will need to use
>
> header("Content-type: blah/blah");
>
> where blah/blah is the correct content type
>
> The important thing here is to put the .avi files (any protected files)
> OUTSIDE the http virtual directory path! So that one cannot just type in
> a URL and get the file.
>
>
> --
> JDS | jeffrey@example .invalid
> | http://www.newtnotes.com
> DJMBS | http://newtnotes.com/doctor-jeff-master-brainsurgeon/[/color]


put a .htaccess in your video dir containing the line:

deny from all

this will prevent any browser access in that dir

now deliver the videos to your users with a php script that

1. checks the credentials and
2. if ok, delivers the video via the servers filesystem, using i.e.
readfile (which is not affected by .htaccess)

micha

Re: Protect download files

deliver_video.p hp has to be outside the video dir of course

micha

Re: Protect download files

chotiwallah wrote:[color=blue]
>
> JDS wrote:
>[color=green]
>>On Fri, 22 Jul 2005 05:11:04 -0700, fgarciarico wrote:
>>
>>[color=darkred]
>>>If I write in the location bar the url of a video, I can download
>>>without problem because the application cannot test if the user is
>>>already authenticated or not. I´ve read something about RedirectMatch
>>>and it works well but now the users cannot see the videos.[/color]
>>
>>Do one of the following:
>>
>>1) Use Basic Auth in the .htaccess file
>>Example: http://httpd.apache.org/docs/1.3/howto/auth.html
>>
>>2) Use Basic Auth within PHP
>>http://us2.php.net/features.http-auth
>>
>>I recommend number (1). Of course, the trouble with that is that it is
>>outside any application logic.
>>
>>You could try putting any .avi (or other protected files) outside the http
>>virtual directory path and then create a PHP shell app that just gets and
>>downloads the file for you. (I know you said you are trying something
>>like this). To do this you will need to use
>>
>>header("Conte nt-type: blah/blah");
>>
>>where blah/blah is the correct content type
>>
>>The important thing here is to put the .avi files (any protected files)
>>OUTSIDE the http virtual directory path! So that one cannot just type in
>>a URL and get the file.
>>
>>
>>--
>> JDS | jeffrey@example .invalid
>> | http://www.newtnotes.com
>> DJMBS | http://newtnotes.com/doctor-jeff-master-brainsurgeon/[/color]
>
>
>
> put a .htaccess in your video dir containing the line:
>
> deny from all
>
> this will prevent any browser access in that dir
>
> now deliver the videos to your users with a php script that
>
> 1. checks the credentials and
> 2. if ok, delivers the video via the servers filesystem, using i.e.
> readfile (which is not affected by .htaccess)
>
> micha
>[/color]

Or, better yet, put them below the document_root. That way you're not depending
on the .htaccess.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

Re: Protect download files

I´ve thought something like that but I must show the video files into
a media player object in my web pages and I think that if the video
file isn´t on a valid url, I cannot show it. Or?

Re: Protect download files

On Tue, 26 Jul 2005 00:30:44 -0700, fgarciarico wrote:
[color=blue]
> I´ve thought something like that but I must show the video files into
> a media player object in my web pages and I think that if the video
> file isn´t on a valid url, I cannot show it. Or?[/color]

You can use a PHP file as the video file. Just send the proper header.
For example, I can use a PHP script as a JPEG or GIF image if I send the
proper header:

header("Content-type: image/jpeg");

AND if the content following is an actual JPEG image.

For example, say I have an image, "image.jpg" . I can read it into the PHP
script using one of the binary-safe file reading functions in PHP:

(I think this example will work)

getimage.php:

<?
/* ...Include authentication and security stuff here...*/

$file = "image.jpg" ;
$file_contents = file_get_conten ts($file);
header("Content-type: image/jpeg");
print $file_contents;
exit;
?>

Now include getimage.php in your HTML page:

<p>
<img src="getimage.p hp">
</p>


You should be able to do the same with a video file. Using the video
file's MIME type, of course, in the header.

later...

--
JDS | jeffrey@example .invalid
| http://www.newtnotes.com
DJMBS | http://newtnotes.com/doctor-jeff-master-brainsurgeon/