Page 1 of 1

Protect URL With Script For File Access

Posted: Fri Aug 21, 2009 10:43 am
by Angie1
Hello Any Kind Souls,

I am a newbie in php programming. Currently, I hosted my website in Cpanel running wordpress with my file system in unix/linux system.

I need to implement a security to protect my url for download so that the download path can change each time and that after my users or customers downloaded the files, they will not be able to pass around the link.
Currently, I have implemented a login page after which users logged in, they will be auto-redirected to a download link. However this is not enough. As I am not an expert in programming, I changed this link frequently so that it will remain protected and only paid subscribers will be able to access for a limited time.

I would like to implement something to automate this - to protect my url. I have read on the internet but still confused on the use of the security like MD5 or SHA.

- Does SHA create a different session key each time the URL is called upon?
- Can base64 achieve this?

I read about mod-rewrite in the unix system but I don't want to touch it and I think it's kind of hard for me. As I don't want to touch on the config or htaccess file because it will become my hosting provider responsibility if anything breaks.

So, here I'd would to inquire if any kind soul or experts would provide me some sample script in php or etc... (can run Unix/ Apache server) to implement the above.

Or any technique that can achieve my objective.

e.g my website download link is now http://abc.com/oeurruorwdnndn
Now I would like the oeurruorwdnndn to change each time the browser gets the link.

Thanks Much. :D

PHP newbie

Re: Protect URL With Script For File Access

Posted: Sun Aug 23, 2009 9:23 pm
by Stoker
I dont have a full answer for you here but I can give you some pointers;

first a couple of misconceptions;
base64 is encoding of any data in ascii friendly formats.
md5 and sha is not what you want, is is hash algorithms usually used for checksum or one-way encryption purposes, PHP sessions do not have any relationship to this..
mod_rewrite is a very useful tool, but wouldn't do much more for you than what you are doing now already.

There are probably multiple ways to protect the file(s) from unauthorized downloads - the easiest and most straight forward is using basic http authentication of directory (directory or web protect I think it is called in cpanel), you will need to maintain the list of users manually, only valid users have access to directory where the file is, so no need to do security by obfuscation and change file names.
You could also do the http auth via (php) scripts and database table entries, a bit more advanced but could be automated.
Instead of protecting the file on a direct url, you can use "stream" it from the portal or private area of where your users log in, the file can be in a non-web area, when a authorized user clicks to down load it within his area, your script will just serve the file to the end user...