Protect file download....

Fix it!!

Protect file download....

Postby jame_2d@yahoo.com » Wed Jan 17, 2007 7:11 pm

Dear all friend...

if i have one file like a zip and i want them to download but must have password to download...
mean that must login by create the session first...
so how can i protect that file
i dont want some one download this file without login first...
and direct download by url without login....

from web master www.atkhmer.com
jame_2d
jame_2d@yahoo.com
 
Posts: 12
Joined: Tue Aug 22, 2006 4:26 am

Postby richardk » Thu Jan 18, 2007 12:35 pm

Don't put the file in a publicly accessible directory. Then write a simple server-side script that checks for the password/session/cookie then sends the file (or an error). If you're using PHP, look at this example of a (very simple) download script.

Edit Updated links to the download script.
Last edited by richardk on Tue Jul 03, 2007 9:07 am, edited 1 time in total.
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am

No...

Postby jame_2d@yahoo.com » Fri Jan 19, 2007 1:02 am

so if the user know that path of file...
they will can download...
so please how can i protect that file...


i mean that i want you wrote the .httaccess to check that
if want to download must have session first
if not go to other ...

jame_2d www.atkhmer.com
jame_2d@yahoo.com
 
Posts: 12
Joined: Tue Aug 22, 2006 4:26 am

Postby richardk » Fri Jan 19, 2007 9:55 am

so if the user know that path of file...
they will can download...
so please how can i protect that file...

Don't put the file in a publicly accessible directory.

Or you could use <Files> and mod_access. There's no need for any mod_rewrite.

In a .htaccess file in the same directory as the file:
Code: Select all
<Files the-files-name.ext>
  Order Allow,Deny
  Deny from All
</Files>


i mean that i want you wrote the .httaccess to check that
if want to download must have session first
if not go to other ...

How can mod_rewrite check the session? I don't even think it can check cookie values. You need a download script.
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am

Excute me !

Postby jame_2d@yahoo.com » Fri Jan 19, 2007 5:19 pm

Excute me !

i still not understand about this
could you explain me agina how to do file .zip from other one download although they know the path...

please !!! and thank

from www.atkhmer.com web master
jame_2d@yahoo.com
 
Posts: 12
Joined: Tue Aug 22, 2006 4:26 am

Postby richardk » Sat Jan 20, 2007 7:19 am

Not with mod_rewrite!

Put the file somewhere they can't access, outside your document root. Then create a download script that checks they are logged in and then allows them to download the file.
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am

Postby TeckniX » Tue Jul 03, 2007 8:42 am

well you could in a way do it with mod_rewrite.
Check that a requested_uri asks for a .zip file, and forward that request to a check.php file.
The file will then check if the user is logged in if he is, then send the file, if not, then forward to the login page.

something like:
check.php?zip=http://mydomain.com/download/stuff.zip
Code: Select all
$zippath = $_GET['zip'];
if(empty($_SESSION['user_name'])){
  header("Location: login.php");
}
else{
header("Location: $zippath");
}
TeckniX
 
Posts: 38
Joined: Tue Mar 27, 2007 12:18 pm

Postby richardk » Tue Jul 03, 2007 8:58 am

Not with mod_rewrite!

Ok, you can do it with mod_rewrite and a download script. The mod_rewrite is only going to do simple rewriting though, it won't do the checks.

Code: Select all
else{
header("Location: $zippath");
}

By redirecting to the Zip file you expose the real path and people can then directly link to the file bypassing the check.

Even if you are catching /download/stuff.zip with mod_rewrite and passing it to the checking script, you couldn't redirect to it as it would be caught by mod_rewrite again. You'd need a download script.
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am

Postby TeckniX » Thu Jul 12, 2007 10:40 am

richardk wrote:
Not with mod_rewrite!

Ok, you can do it with mod_rewrite and a download script. The mod_rewrite is only going to do simple rewriting though, it won't do the checks.

Code: Select all
else{
header("Location: $zippath");
}

By redirecting to the Zip file you expose the real path and people can then directly link to the file bypassing the check.

Even if you are catching /download/stuff.zip with mod_rewrite and passing it to the checking script, you couldn't redirect to it as it would be caught by mod_rewrite again. You'd need a download script.


You're right, I didn't catch that the first time around, till I tried it - Thanks for the input, so with a download script it's possible :)
TeckniX
 
Posts: 38
Joined: Tue Mar 27, 2007 12:18 pm


Return to Security with Mod_Rewrite

Who is online

Users browsing this forum: No registered users and 1 guest

cron