direct link prevention on apache

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Jan Bols
    #1

    direct link prevention on apache

    I'm using PHP 4.3 and APACHE2.0. I have a website that requires people
    to log in before they can download files from my website. A person is
    logged in if there is a session-variable $logged_in set to TRUE.

    How can I prevent people from downloading a file (f.e. myfile.doc)
    without being logged in when they know the direct link to the file
    (http://www.mysite.com/somedir/myfile.doc)?

    Putting the file in an obscure place by working with random numbers
    (http://www.mysite.com/13ds5fd1g/myfile.doc) is not a solution for me.

    The other solution of using a scriptfile like download.php as a gateway
    to serve the file and restricting all other access to the directory with
    a .htaccess file is also not an option, because this doesn't work
    perfectly in older brwosers that don't handle the headers(Content ...)
    correctly.

    I would like Apache to handle this. If one requests a file in a certain
    directory, I want apache to check if the user is logged in or not by
    calling a file like download.php. If he is logged in than the requested
    file is served by apache (not by the download.php file acting as a
    gateway). I was thinking to use mod_rewrite, but I don't think this
    works because it will keep on rewriting the url to go to the
    download.php file. Even if I'm coming from that place. Also using
    HTTP_REFERER is not a good idea because a lot of firewalls prevent this
    information.

    Is this simply impossible? Can I use mod_rewrite for this and how? Are
    there other possibilities?

    Thanks
    Jan Bols

    Tags: None
    • Steve Koppelman
      #2
      Re: direct link prevention on apache

      Jan Bols wrote:[color=blue]
      > I'm using PHP 4.3 and APACHE2.0. I have a website that requires people
      > to log in before they can download files from my website. A person is
      > logged in if there is a session-variable $logged_in set to TRUE.
      >
      > How can I prevent people from downloading a file (f.e. myfile.doc)
      > without being logged in when they know the direct link to the file
      > (http://www.mysite.com/somedir/myfile.doc)?[/color]

      Don't offer a direct link to the file. Or, alternatively, preprocess
      every request for the file through a module (or mod_perl or
      mod_[whatever] function that checks for a certain cookie or whatever you
      use for login credentials). You would make this a rule in httpd.conf or
      ..htaccess.
      [color=blue]
      > Putting the file in an obscure place by working with random numbers
      > (http://www.mysite.com/13ds5fd1g/myfile.doc) is not a solution for me.[/color]

      Good. That's lame.
      [color=blue]
      > The other solution of using a scriptfile like download.php as a gateway
      > to serve the file and restricting all other access to the directory with
      > a .htaccess file is also not an option, because this doesn't work
      > perfectly in older brwosers that don't handle the headers(Content ...)
      > correctly.[/color]

      What browsers are you talking about? Ones dating back to 1995? If you
      form your headers correctly and spit out the right MIME type and
      CVontent-length, the file will get a name properly in any major browser
      made from 1997 on. If it's not working for you, it's your bug. It seems
      to work well enough for CNet, Tucows and a zillion other big download
      sites, so what are you concerned about? Why do you care about users with
      ancient, broken browsers? Isn't 6 years a long enough cutoff age for
      this kind of feature support?
      [color=blue]
      > I would like Apache to handle this. If one requests a file in a certain
      > directory, I want apache to check if the user is logged in or not by
      > calling a file like download.php. If he is logged in than the requested
      > file is served by apache (not by the download.php file acting as a
      > gateway). I was thinking to use mod_rewrite, but I don't think this
      > works because it will keep on rewriting the url to go to the
      > download.php file. Even if I'm coming from that place. Also using
      > HTTP_REFERER is not a good idea because a lot of firewalls prevent this
      > information.[/color]

      A lot of firewalls block referrers? Or a few run at home by lunatics?
      regardless, referers really aren't the best way to do it anyway.

      In any case, forget mod_rewrite for the moment. Just set the *.doc file
      extension in a certain directory to execute as PHP in your httpd.conf or
      ..htaccess, and have mydoc.doc be a PHP script that checks login creds
      and pipes out the .doc file contents. Or if you want unique filenames,
      then add mod_rewrite to the mix so that a request for
      /download/foo123.doc executes download.php and treats foo123 as an argument.

      -sk

        Comment

        • Chung Leong
          #3
          Re: direct link prevention on apache

          Tough nut to crack. All I can think of is to dynamically adds the client's
          IP address to a .htaccess file, then redirect the browser to the URL
          pointing to the file. The IP address should be saved to a session variable
          so that you can remove it from .htaccess when the session expires.

          Uzytkownik "Jan Bols" <jan@ivpv.ugent .be> napisal w wiadomosci
          news:bqq7oe$9hp $1@gaudi2.UGent .be...[color=blue]
          > I'm using PHP 4.3 and APACHE2.0. I have a website that requires people
          > to log in before they can download files from my website. A person is
          > logged in if there is a session-variable $logged_in set to TRUE.
          >
          > How can I prevent people from downloading a file (f.e. myfile.doc)
          > without being logged in when they know the direct link to the file
          > (http://www.mysite.com/somedir/myfile.doc)?
          >
          > Putting the file in an obscure place by working with random numbers
          > (http://www.mysite.com/13ds5fd1g/myfile.doc) is not a solution for me.
          >
          > The other solution of using a scriptfile like download.php as a gateway
          > to serve the file and restricting all other access to the directory with
          > a .htaccess file is also not an option, because this doesn't work
          > perfectly in older brwosers that don't handle the headers(Content ...)
          > correctly.
          >
          > I would like Apache to handle this. If one requests a file in a certain
          > directory, I want apache to check if the user is logged in or not by
          > calling a file like download.php. If he is logged in than the requested
          > file is served by apache (not by the download.php file acting as a
          > gateway). I was thinking to use mod_rewrite, but I don't think this
          > works because it will keep on rewriting the url to go to the
          > download.php file. Even if I'm coming from that place. Also using
          > HTTP_REFERER is not a good idea because a lot of firewalls prevent this
          > information.
          >
          > Is this simply impossible? Can I use mod_rewrite for this and how? Are
          > there other possibilities?
          >
          > Thanks
          > Jan Bols
          >[/color]


            Comment

            • R. Rajesh Jeba Anbiah
              #4
              Re: direct link prevention on apache

              Jan Bols <jan@ivpv.ugent .be> wrote in message news:<bqq7oe$9h p$1@gaudi2.UGen t.be>...[color=blue]
              > I'm using PHP 4.3 and APACHE2.0. I have a website that requires people
              > to log in before they can download files from my website. A person is
              > logged in if there is a session-variable $logged_in set to TRUE.[/color]

              <snip>
              [color=blue]
              > The other solution of using a scriptfile like download.php as a gateway
              > to serve the file and restricting[/color]

              AFAIK, this is the right way. Just check the logged-in flag in your
              download.php file (ie, session variable for logged-in)

              [color=blue]
              > all other access to the directory with
              > a .htaccess file is also not an option, because this doesn't work
              > perfectly in older brwosers that don't handle the headers(Content ...)
              > correctly.
              >
              > I would like Apache to handle this. If one requests a file in a certain
              > directory, I want apache to check if the user is logged in or not by
              > calling a file like download.php. If he is logged in than the requested
              > file is served by apache (not by the download.php file acting as a
              > gateway). I was thinking to use mod_rewrite, but I don't think this
              > works because it will keep on rewriting the url to go to the
              > download.php file. Even if I'm coming from that place. Also using
              > HTTP_REFERER is not a good idea because a lot of firewalls prevent this
              > information.
              >
              > Is this simply impossible? Can I use mod_rewrite for this and how? Are
              > there other possibilities?[/color]

              I couldn't understand the reason to go for mod_rewrite..

              --
              "If there is a God, he must be a sadist!"
              Email: rrjanbiah-at-Y!com

                Comment

                Previous template Next
                Working...