Idea needed : protect unauthorized user from downloading

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
godsquare
Forum Newbie
Posts: 7
Joined: Tue Aug 12, 2008 11:54 am

Idea needed : protect unauthorized user from downloading

Post by godsquare »

Hi All,

I have a requirement and I have no idea how to implement it.

I have user in mysql. Let's say usera and userb.

And I have 1 file. Let's say a.zip.

My requirement is : Only usera can download this file (via http). And the permission can change dynamically with new user and new file added later.

Any suggestion will be appreciated.

PS. a.zip may be a large file (more than 1 GB) so this method must not consume a lot of host CPU or Memory.
User avatar
califdon
Jack of Zircons
Posts: 4484
Joined: Thu Nov 09, 2006 8:30 pm
Location: California, USA

Re: Idea needed : protect unauthorized user from downloading

Post by califdon »

If I understand what you want to do, it should be a rather straightforward matter to validate the user and either allow or disallow them to download a file, based on either a database or a text file containing the permissions.

Things you need to consider include: how secure does this need to be? are you worried about sophisticated hackers, or merely managing who can download what files? how many users and how many files may eventually be involved? what method of downloading do you plan to use?
godsquare
Forum Newbie
Posts: 7
Joined: Tue Aug 12, 2008 11:54 am

Re: Idea needed : protect unauthorized user from downloading

Post by godsquare »

califdon wrote: Things you need to consider include: how secure does this need to be? are you worried about sophisticated hackers, or merely managing who can download what files? how many users and how many files may eventually be involved? what method of downloading do you plan to use?
This system will involve a lot of files and users.
And I have no idea about downloading method. But it have to download via http.
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: Idea needed : protect unauthorized user from downloading

Post by alex.barylski »

Store the files either outside docroot or in an .htaccess protected directory and use a download proxy to check access permissions and download the file if your go for launch.
godsquare
Forum Newbie
Posts: 7
Joined: Tue Aug 12, 2008 11:54 am

Re: Idea needed : protect unauthorized user from downloading

Post by godsquare »

Hockey wrote:Store the files either outside docroot or in an .htaccess protected directory and use a download proxy to check access permissions and download the file if your go for launch.
Are there any sample for download proxy script ?

Is his method consume resource ?

Thank you very much :)
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: Idea needed : protect unauthorized user from downloading

Post by pickle »

Yes that method consumes resources. Any PHP file or script consumes resources. It's a pretty simple script though, so I wouldn't worry too much about the overhead.

Basically, this proxy file will do 3 things:

1) Verify that the user requesting the file is allowed to download the file. When the proxy file is requested, it's just like requesting a web page, so any $_COOKIE or $_SESSION values you've assigned for authentication, will be passed to the proxy file.

2) Output the appropriate Content-Type header for the file the user wants to download

3) Outputs the contents of the file with readfile().

You can call the proxy file like this:

Code: Select all

<a href = "downloadproxy.php?filename=a.zip">Download the file</a>
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
User avatar
omniuni
Forum Regular
Posts: 738
Joined: Tue Jul 15, 2008 10:50 pm
Location: Carolina, USA

Re: Idea needed : protect unauthorized user from downloading

Post by omniuni »

On a very simple side, create a "download.php" which has a simple function to check if the user is allowed to dl a file. When they click the link, have a popup window "download.php?user=xyz&file=filename" and it will either say "I'm sorry, you can't download this" or it will present a link to the file in a directory. It's not very secure, the user can always copy-paste the link, but it may work for you.

-OmniUni
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: Idea needed : protect unauthorized user from downloading

Post by pickle »

omniuni wrote:On a very simple side, create a "download.php" which has a simple function to check if the user is allowed to dl a file. When they click the link, have a popup window "download.php?user=xyz&file=filename" and it will either say "I'm sorry, you can't download this" or it will present a link to the file in a directory. It's not very secure, the user can always copy-paste the link, but it may work for you.
Which is why I recommended a download proxy file - it is as secure as your authentication scheme.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
godsquare
Forum Newbie
Posts: 7
Joined: Tue Aug 12, 2008 11:54 am

Re: Idea needed : protect unauthorized user from downloading

Post by godsquare »

Thank you for all suggestion !!

I think I'll try download proxy solution. Hope it doesn't consume so much resource :D
Post Reply