Jump to content

Recommended Posts

Hi, I have decent knowledge of htaccess and know enough about php/mysql so a little direction/advice is mostly what I need. I host a website(site1.com) that has links to files that are hosted on a different website(site2.com) on a different server. When a file link is clicked from site1.com, first it will go to a local php file(within site1.com) that checks that the user is logged in and make sure the file exists. Then it redirects(using a simple header function) to the file located at site2.com to begin download.

 

But since my files at site2.com stored in a simple folder(if you knew the folder name, you could download all the files without having to be logged in), I want a way for site2.com to check that the file request is coming from site1.com(maybe using php referrer?) before it allows the download to proceed. Any ideas?

The referrer is insecure. Don't rely on it.

 

Do you mind having the file go through your server first? Means double the bandwidth (both site1 and site2 are sending the whole file) but it's the easiest answer.

The referrer is insecure. Don't rely on it.

 

Do you mind having the file go through your server first? Means double the bandwidth (both site1 and site2 are sending the whole file) but it's the easiest answer.

 

I understand that referrers can be spoofed, but the chances are pretty low of anyone knowing that's how I check for a valid download attempt. Can anyone just answer my question of how to do it? Or suggest a suitable alternative?

Despite them being spoofable, some browsers, firewalls, or proxy's will filter out a referrer for privacy reason so it will never be sent.  This means your download script will not work at all for any of those people.

 

There's not really any good way to do what you want to do when using a simple header redirect.  If only logged in users should see them, then you should be running entire download process through your script rather than redirect to the raw file.

 

The way you prevent direct downloads is by not allowing them.  That's it.  You force people to access the files via your script and provide no alternative means what-so-ever for them to access the file.  Generally you place the files somewhere that they will not even be served by apache at all and only your script can access them.

 

The only possible alternative that would allow you to use a direct URL while keeping people from re-using it would be to setup a system where the direct url is constantly changing.  Then you need some way to keep both your servers up to date on what the current URL is.  The url's should be generated randomly, not based on some varying value like a timestamp otherwise someone could just guess.

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.