Best strategy to protect downloadable files -php/mysql Apache2 server_问答_开发者

Best strategy to protect downloadable files -php/mysql Apache2 server

开发者 https://www.devze.com 2023-02-17 22:42 出处：网络

I\'ll trying to figure out how to protect directory from unauthorized or n开发者_运维问答ot autentificated user to download files.

相关专题：.htaccess php

I'll trying to figure out how to protect directory from unauthorized or n开发者_运维问答ot autentificated user to download files. Thank's in advance.

Can't find a good duplicate, but a little search will bring up results like this PHP protect a folder

There is a simple way to restrict folder access based on PHP session authorization using php. It requires creating stub files for valid authorized sesssions (and automating their deletion). In PHP you do:

if ($user_has_permission_to_download)
{
   touch("tmp/access-" . session_id()); 
}

Then a simple rewriterule+rewritecond can then serve for authorization:

RewriteCond %{HTTP_COOKIE}        PHPSESSID=(\w+)
RewriteCond ../tmp/access-%1      -f 
RewriteRule ^(.+)$  $1  [L]

RewriteRule .+  /deny   [L]

The first block permits access when the according cookie value is found and an authorization stub file exists. The second rule blocks access for anyone else.

Put a .htaccess file in the directory with the files, with the following content

deny from all

Then create a script that that uses for instance readfile() to serve the file if the user is authorized.

I'm assuming you have a users / login script somewhere that authenticates a user? Use .htaccess rewrite rules to forward the file request through a php script that checks a session variable if the user is logged in then returns the file.

Something of the elk:

.htaccess
RewriteEngine on
RewriteRule ^(.*).(pdf|exe|doc|whatever)$ some-script.php?file=$1.$2 [L]

<?php
if(loginCheck()) //function somewhere that checks session if user is logged in
{
  return fopen('../files/' . $_GET['file']); //open and return the requested file
}

This is just pseudo code to give you an idea of what you need to do. You may also have to echo the correct file headers as well.

And to stop people from just going to the files directory, I recommend putting an .htaccess file in THAT folder as well saying deny from all to stop EVERYONE from accessing it.

.htaccess is your best friend. Put deny from all into that .htaccess file. Or if you don't want to use .htaccess file encrypt and change all the time the download path (LOL!).