httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Andersson" <>
Subject Re: [users@httpd] direct link prevention with PHP
Date Mon, 08 Dec 2003 06:07:22 GMT
Jan Bols
> I was thinking to use mod_rewrite, but I don't think this works because it
> will keep on rewriting the url to go to the download.php file.

I think this would work if you place a PHP script somewhere outside your
"download directory", that returns a success status (eg. 200) if the user is
authorized and failure (eg. 404) if the user isn't.

Then use mod_rewrite to perform a sub request to see if
"/some/path/download.php" exists, and if it doesn't, disallow the request.

I don't know if this can work (haven't slept for 30+ hours :/ ), and this
pseudo example certainly doesn't, but I hope you get the idea:

    <Directory /path/to/docroot/download>
        RewriteEngine On
        RewriteCond /scripts/valid-session.php !-F
        RewriteRule ^(.*) /youre-not-authorized.php?file=$1

I don't know if enough info will be available to the valid-session.php
script for it to be able to authenticate the user, though. With clever
tweaking, you might be able to get around it.

Another, simpler method, might be to set a client cookie, which easily could
be checked with mod_rewrite (I think).

Robert Andersson

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message