Jump to content

Is there a way to encrypt the directory names in a URL?


CodeRed-Alpha
Go to solution Solved by requinix,

Recommended Posts

I am trying to encrypt just the directory part of the path in a URL.  We have users downloading and viewing documents (pdf, doc, jpg, etc..) The filename does not ned to be encrypted but it can be.  Essentially I want to it to look like this.

 

https://mydomain.com/documents/123.pdf
Should show as

https://mydomain.com/Adslk$ksd)dsajka^sSPd/123.pdf

 

The purpose: To ensure that a user cannot browse directly to the folder just by removing the filename.

 

We do not use any GET variables in our URLs for security reasons. 

 

Is there a way this can be done without decrypting it so the user can see it?  There are tons and tons of article about encrypting the GET variables and URL parameters but I don't really see anybody doing just the file path without the file name being decrypted.  We already disallow any user not logged in or with valid permissions to view the page or access the directory.  But we do not even want the users to be able to know what directory this stuff is even stored in.  Any suggestions?

 

Thank you.

Link to comment
Share on other sites

  • Solution

You can't encrypt the location because the end result is that you're still giving someone a URL to the file. Having gibberish instead of the word "documents" doesn't change that.

The actual answer here is pretty simple: don't give direct links to your PDFs. Use a PHP script which authenticates the user and then outputs the file.
You can use URL rewriting to transform /documents/whatever.pdf to something like /document.php?filename=whatever.pdf (which means existing URLs still work), then do something like

<?php

session_start();
if (!isset($_SESSION["userid"])) { // or whatever so you know if the user isn't logged in
	http_response_code(403);
	exit;
}

if (!isset($_GET["filename"])) {
	http_response_code(400);
	exit;
}

$filename = $_GET["filename"];
if (!preg_match('/^[a-z0-9_.-]+$/i', $filename)) { // potentially other characters in there
	http_response_code(404);
	exit;
}

$path = $_SERVER["DOCUMENT_ROOT"] . "/documents/" . $filename; // or whatever the path should be
if (!is_file($path)) {
	http_response_code(404);
	exit;
}

$extension = strtolower(pathinfo($filename, PATHINFO_EXTENSION));
$mime = [
	// default
	$extension => "application/octet-stream",

	// list of file types you might have
	"pdf" => "application/pdf",
	// ...
][$extension];

header("Content-Type: $mime");
header("Content-Length: " . filesize($path));
header("Content-Disposition: inline;filename=$filename");
readfile($path);

 

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.