httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Saqib Ali <sa...@seagate.com>
Subject Re: [users@httpd] direct link prevention with PHP
Date Fri, 05 Dec 2003 16:07:41 GMT
Hello Jan

the following may be helpful
http://www.pubcookie.org/

Saqib Ali
-------------
http://validate.sf.net <---- HTML/XHTML/DocBook Validator

On Fri, 5 Dec 2003, Jan Bols wrote:

> I'm using PHP 4.3 and APACHE2.0. I have a website that requires people
> to log in before they can download files from my website. A person is
> logged in if there is a session-variable $logged_in set to TRUE.
>
> How can I prevent people from downloading a file (f.e. myfile.doc)
> without being logged in when they know the direct link to the file
> (http://www.mysite.com/somedir/myfile.doc)?
>
> Putting the file in an obscure place by working with random numbers
> (http://www.mysite.com/13ds5fd1g/myfile.doc) is not a solution for me.
>
> The other solution of using a scriptfile like download.php as a gateway
> to serve the file and restricting all other access to the directory with
> a .htaccess file is also not an option, because this doesn't work
> perfectly in older brwosers that don't handle the headers(Content...)
> correctly.
>
> I would like Apache to handle this. If one requests a file in a certain
> directory, I want apache to check if the user is logged in or not by
> calling a file like download.php. If he is logged in than the requested
> file is served by apache (not by the download.php file acting as a
> gateway). I was thinking to use mod_rewrite, but I don't think this
> works because it will keep on rewriting the url to go to the
> download.php file. Even if I'm coming from that place. Also using
> HTTP_REFERER is not a good idea because a lot of firewalls prevent this
>  information.
>
> Is this simply impossible? Can I use mod_rewrite for this and how? Are
> there other possibilities?
>
> Thanks
> Jan Bols
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message