Page 1 of 1

Idea needed : protect unauthorized user from downloading

Posted: Tue Aug 12, 2008 12:05 pm
by godsquare
Hi All,

I have a requirement and I have no idea how to implement it.

I have user in mysql. Let's say usera and userb.

And I have 1 file. Let's say a.zip.

My requirement is : Only usera can download this file (via http). And the permission can change dynamically with new user and new file added later.

Any suggestion will be appreciated.

PS. a.zip may be a large file (more than 1 GB) so this method must not consume a lot of host CPU or Memory.

Re: Idea needed : protect unauthorized user from downloading

Posted: Tue Aug 12, 2008 6:28 pm
by califdon
If I understand what you want to do, it should be a rather straightforward matter to validate the user and either allow or disallow them to download a file, based on either a database or a text file containing the permissions.

Things you need to consider include: how secure does this need to be? are you worried about sophisticated hackers, or merely managing who can download what files? how many users and how many files may eventually be involved? what method of downloading do you plan to use?

Re: Idea needed : protect unauthorized user from downloading

Posted: Tue Aug 12, 2008 8:48 pm
by godsquare
califdon wrote: Things you need to consider include: how secure does this need to be? are you worried about sophisticated hackers, or merely managing who can download what files? how many users and how many files may eventually be involved? what method of downloading do you plan to use?
This system will involve a lot of files and users.
And I have no idea about downloading method. But it have to download via http.

Re: Idea needed : protect unauthorized user from downloading

Posted: Tue Aug 12, 2008 8:56 pm
by alex.barylski
Store the files either outside docroot or in an .htaccess protected directory and use a download proxy to check access permissions and download the file if your go for launch.

Re: Idea needed : protect unauthorized user from downloading

Posted: Wed Aug 13, 2008 9:35 am
by godsquare
Hockey wrote:Store the files either outside docroot or in an .htaccess protected directory and use a download proxy to check access permissions and download the file if your go for launch.
Are there any sample for download proxy script ?

Is his method consume resource ?

Thank you very much :)

Re: Idea needed : protect unauthorized user from downloading

Posted: Wed Aug 13, 2008 9:56 am
by pickle
Yes that method consumes resources. Any PHP file or script consumes resources. It's a pretty simple script though, so I wouldn't worry too much about the overhead.

Basically, this proxy file will do 3 things:

1) Verify that the user requesting the file is allowed to download the file. When the proxy file is requested, it's just like requesting a web page, so any $_COOKIE or $_SESSION values you've assigned for authentication, will be passed to the proxy file.

2) Output the appropriate Content-Type header for the file the user wants to download

3) Outputs the contents of the file with readfile().

You can call the proxy file like this:

Code: Select all

<a href = "downloadproxy.php?filename=a.zip">Download the file</a>

Re: Idea needed : protect unauthorized user from downloading

Posted: Wed Aug 13, 2008 6:13 pm
by omniuni
On a very simple side, create a "download.php" which has a simple function to check if the user is allowed to dl a file. When they click the link, have a popup window "download.php?user=xyz&file=filename" and it will either say "I'm sorry, you can't download this" or it will present a link to the file in a directory. It's not very secure, the user can always copy-paste the link, but it may work for you.

-OmniUni

Re: Idea needed : protect unauthorized user from downloading

Posted: Thu Aug 14, 2008 9:46 am
by pickle
omniuni wrote:On a very simple side, create a "download.php" which has a simple function to check if the user is allowed to dl a file. When they click the link, have a popup window "download.php?user=xyz&file=filename" and it will either say "I'm sorry, you can't download this" or it will present a link to the file in a directory. It's not very secure, the user can always copy-paste the link, but it may work for you.
Which is why I recommended a download proxy file - it is as secure as your authentication scheme.

Re: Idea needed : protect unauthorized user from downloading

Posted: Fri Aug 15, 2008 6:30 am
by godsquare
Thank you for all suggestion !!

I think I'll try download proxy solution. Hope it doesn't consume so much resource :D