stopping un-authorized downloads

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
exmonkey
Forum Newbie
Posts: 3
Joined: Fri Sep 02, 2005 4:57 am

stopping un-authorized downloads

Post by exmonkey »

Hi - I am building a site where users have to have a login account in order to view and download a variety of (PDF) files.

The login system is a simple database/session system with an include on every page to make sure the user is allowed to be on the page.

My question is: Is there a way of preventing non-logged in visitors from using a link (to a document) to download a file.
Obviously I will have directory browsing turned off, but if a registered user sends them the URL of a file....

Any ideas?
User avatar
dbevfat
Forum Contributor
Posts: 126
Joined: Tue Jun 28, 2005 2:47 pm
Location: Ljubljana, Slovenia

Post by dbevfat »

It's not that hard if you store the files in an off-web path and serve them via a php script. That script should of course check if a user is logged in prior to passing the file back to the client.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

to add even more, you can make the download link invalid after a single use. This involves using the database a bit to store the currently active ID's.
exmonkey
Forum Newbie
Posts: 3
Joined: Fri Sep 02, 2005 4:57 am

Post by exmonkey »

dbevfat, I was wondering about that but i dont know how to serve up files from an outside web directory using PHP. Can you point me in the right direction?


Cheers
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

readfile()


feyd | made it a link for ease of understanding.
exmonkey
Forum Newbie
Posts: 3
Joined: Fri Sep 02, 2005 4:57 am

Post by exmonkey »

with or with out the link - cheers, that exactly what I needed.

Ex
BZorch
Forum Commoner
Posts: 45
Joined: Mon May 02, 2005 10:42 pm

Post by BZorch »

If you have not seen it already, you might want to check out the replies I received in the Theory and Design forum. I was asking the same thing and the repsonses were helful. Here is the link.

viewtopic.php?t=37539
Post Reply