httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Bols <...@ivpv.ugent.be>
Subject [users@httpd] direct link prevention with PHP
Date Fri, 05 Dec 2003 15:46:54 GMT
I'm using PHP 4.3 and APACHE2.0. I have a website that requires people 
to log in before they can download files from my website. A person is 
logged in if there is a session-variable $logged_in set to TRUE.

How can I prevent people from downloading a file (f.e. myfile.doc) 
without being logged in when they know the direct link to the file 
(http://www.mysite.com/somedir/myfile.doc)?

Putting the file in an obscure place by working with random numbers 
(http://www.mysite.com/13ds5fd1g/myfile.doc) is not a solution for me.

The other solution of using a scriptfile like download.php as a gateway 
to serve the file and restricting all other access to the directory with 
a .htaccess file is also not an option, because this doesn't work 
perfectly in older brwosers that don't handle the headers(Content...) 
correctly.

I would like Apache to handle this. If one requests a file in a certain 
directory, I want apache to check if the user is logged in or not by 
calling a file like download.php. If he is logged in than the requested 
file is served by apache (not by the download.php file acting as a 
gateway). I was thinking to use mod_rewrite, but I don't think this 
works because it will keep on rewriting the url to go to the 
download.php file. Even if I'm coming from that place. Also using 
HTTP_REFERER is not a good idea because a lot of firewalls prevent this 
 information.

Is this simply impossible? Can I use mod_rewrite for this and how? Are 
there other possibilities?

Thanks
Jan Bols



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message