File protection

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
SidewinderX
Forum Contributor
Posts: 407
Joined: Fri Jul 16, 2004 9:04 pm
Location: NY

File protection

Post by SidewinderX »

ok, so ive created a script with sessions and all that. in order to access this part of my site it requires a subscription to download certian files. all the files are stored in a directory called downloads and stored as .zip files. The problem is, if 1 person regsiters with the subscription, he can copy all the direct links to the files and post them in a warez forum....is it possable to make the files only accessable if you are loged in?
User avatar
Burrito
Spockulator
Posts: 4715
Joined: Wed Feb 04, 2004 8:15 pm
Location: Eden, Utah

Post by Burrito »

yes.

you can check a session and if it's set, use header() to send the file down.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

place the files in an area outside the web accessible paths. If you're on a shared host, you should really consider moving to a dedicated one too. Changing the file owner to a separate user from the web server's default user can help along with setting the permissions properly. Force all users to go through a script to download, where the script sends the file itself.
fine
Forum Newbie
Posts: 5
Joined: Thu Oct 13, 2005 4:15 pm

Post by fine »

yep, add session control,

one user login, give him a session variable.

like this php session example
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

fine, please don't spam the forums
Post Reply