dannyb785 Posted March 8, 2012 Share Posted March 8, 2012 Hi, I have decent knowledge of htaccess and know enough about php/mysql so a little direction/advice is mostly what I need. I host a website(site1.com) that has links to files that are hosted on a different website(site2.com) on a different server. When a file link is clicked from site1.com, first it will go to a local php file(within site1.com) that checks that the user is logged in and make sure the file exists. Then it redirects(using a simple header function) to the file located at site2.com to begin download. But since my files at site2.com stored in a simple folder(if you knew the folder name, you could download all the files without having to be logged in), I want a way for site2.com to check that the file request is coming from site1.com(maybe using php referrer?) before it allows the download to proceed. Any ideas? Quote Link to comment https://forums.phpfreaks.com/topic/258507-checking-referrer-when-downloading-from-remote-source/ Share on other sites More sharing options...
requinix Posted March 8, 2012 Share Posted March 8, 2012 The referrer is insecure. Don't rely on it. Do you mind having the file go through your server first? Means double the bandwidth (both site1 and site2 are sending the whole file) but it's the easiest answer. Quote Link to comment https://forums.phpfreaks.com/topic/258507-checking-referrer-when-downloading-from-remote-source/#findComment-1325119 Share on other sites More sharing options...
dannyb785 Posted March 8, 2012 Author Share Posted March 8, 2012 The referrer is insecure. Don't rely on it. Do you mind having the file go through your server first? Means double the bandwidth (both site1 and site2 are sending the whole file) but it's the easiest answer. I understand that referrers can be spoofed, but the chances are pretty low of anyone knowing that's how I check for a valid download attempt. Can anyone just answer my question of how to do it? Or suggest a suitable alternative? Quote Link to comment https://forums.phpfreaks.com/topic/258507-checking-referrer-when-downloading-from-remote-source/#findComment-1325128 Share on other sites More sharing options...
dannyb785 Posted March 8, 2012 Author Share Posted March 8, 2012 anybody? Quote Link to comment https://forums.phpfreaks.com/topic/258507-checking-referrer-when-downloading-from-remote-source/#findComment-1325346 Share on other sites More sharing options...
kicken Posted March 8, 2012 Share Posted March 8, 2012 Despite them being spoofable, some browsers, firewalls, or proxy's will filter out a referrer for privacy reason so it will never be sent. This means your download script will not work at all for any of those people. There's not really any good way to do what you want to do when using a simple header redirect. If only logged in users should see them, then you should be running entire download process through your script rather than redirect to the raw file. Quote Link to comment https://forums.phpfreaks.com/topic/258507-checking-referrer-when-downloading-from-remote-source/#findComment-1325347 Share on other sites More sharing options...
dannyb785 Posted March 8, 2012 Author Share Posted March 8, 2012 It doesn't have to be the way I'm doing it, I just need ideas on how to prevent direct downloads! Any way is fine Quote Link to comment https://forums.phpfreaks.com/topic/258507-checking-referrer-when-downloading-from-remote-source/#findComment-1325353 Share on other sites More sharing options...
kicken Posted March 8, 2012 Share Posted March 8, 2012 The way you prevent direct downloads is by not allowing them. That's it. You force people to access the files via your script and provide no alternative means what-so-ever for them to access the file. Generally you place the files somewhere that they will not even be served by apache at all and only your script can access them. The only possible alternative that would allow you to use a direct URL while keeping people from re-using it would be to setup a system where the direct url is constantly changing. Then you need some way to keep both your servers up to date on what the current URL is. The url's should be generated randomly, not based on some varying value like a timestamp otherwise someone could just guess. Quote Link to comment https://forums.phpfreaks.com/topic/258507-checking-referrer-when-downloading-from-remote-source/#findComment-1325356 Share on other sites More sharing options...
dannyb785 Posted March 9, 2012 Author Share Posted March 9, 2012 The way you prevent direct downloads is by not allowing them. That's it. Are your posts usually this useless? I am asking HOW TO NOT ALLOW THEM!!!!! Jesus. Quote Link to comment https://forums.phpfreaks.com/topic/258507-checking-referrer-when-downloading-from-remote-source/#findComment-1325424 Share on other sites More sharing options...
requinix Posted March 9, 2012 Share Posted March 9, 2012 Are your posts usually this useless? I am asking HOW TO NOT ALLOW THEM!!!!! Jesus. By reading the rest of what kicken wrote. After you've done that, go talk to Google instead of us. Quote Link to comment https://forums.phpfreaks.com/topic/258507-checking-referrer-when-downloading-from-remote-source/#findComment-1325439 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.