Prevent direct external download of files

@DokSep 27.2008

Hi all

I would like to block for the possibility for other users to directly link to some files om my server due to bandwidth usage.

I have some files available for download at my site. The files are stored outside the public www folder and I have a script for retrieving the files.

However the script is merely something like getFile.php?id=23 so anyone can just reference it using ~~[url]~~http://www.mysite.com/getFile.php?id=23[/url].

I can easily do a referere checkbut as I understand it the referere can be spoofed.

So I thought about setting a session variable on my download page where the link to the files is. When calling getFile.php it will check for the session variable to make sure the user actually came from the download site.

Is this the way to go about the issue or am I missing something? Maybe this could be done with a simple Apache directive instead?

to post a comment

PHP

8 Comments(s) _↴

@DokauthorSep 29.2008 — #Bumping this one up. Can anyone point me to another place where I could post my question?

@tfk11Sep 29.2008 — #Depending on the level of protection you're looking for, using sessions in the manner you suggest would be a reasonable way to go about protecting files.

You could also use keyed urls, a somewhat controversial access control method that was recently discussed.

http://www.webdeveloper.com/forum/showthread.php?t=187816

@DokauthorSep 29.2008 — #I read that thread before posting but I don't like the approach. I'll stick to session variables unless someone else posts another idea.

Thanks for answering.

@opifexSep 30.2008 — #what you are really talking about is hotlinking???

if you are using Apache server .htaccess is a good option

[CODE]RewriteEngine on 
 #if not already on
 
 RewriteCond %{HTTP_REFERER} !^http://subdomain.domain.com/.*$      [NC]
 RewriteCond %{HTTP_REFERER} !^http://subdomain.domain.com$      [NC]
 RewriteCond %{HTTP_REFERER} !^http://subdomain1.domain.com/.*$      [NC]
 RewriteCond %{HTTP_REFERER} !^http://subdomain1.domain.com$      [NC]
 RewriteCond %{HTTP_REFERER} !^http://www.domain.com/.*$      [NC]
 RewriteCond %{HTTP_REFERER} !^http://www.domain.com$      [NC]
 RewriteCond %{HTTP_REFERER} !^http://domain.com/.*$      [NC]
 RewriteCond %{HTTP_REFERER} !^http://domain.com$      [NC]
 RewriteRule .*.(.gif|.jpg|.png)$ http://domain.com/thief.jpeg [R,NC]
 [/CODE]

the thief.jpeg....or whatever extension isn't in the deny list can be anything... i usually put the site logo and write the url.

the deny list can include [B]any[/B] file type

[I]works fine, lasts a long time and don't rust![/I]

@DokauthorSep 30.2008 — #what you are really talking about is hotlinking???[/QUOTE]Yes - I just didn't know what to call it ?

But can't you just spoof the referer? Isn't a setting which can be altered client side?

@opifexSep 30.2008 — #http_referer can be spoofed clent side, but what this server directive is looking at is the page that is requesting the file, not the client's browser (or whatever) and denies access to pages not listed.

most hotlinkers are users of auction sites, blogs, free personal pages and the like. they simply put the url of your image as the image url in their page and steal your bandwidth; this will stop that.

@DokauthorSep 30.2008 — #Excellent - thanks a lot.

@DokauthorOct 03.2008 — #mod_rewrite is fantastic - can't believe I've never used it before.

However if I make a rewrite to map /articles/title.of.article to /articles.php?url=title.of.article with

[CODE]RewriteCond &#37;{REQUEST_URI} ^/articles/ [NC]
 RewriteRule ^/articles/(.*)$ /articles.php?url=$1 [NC,L][/CODE]

then articles.php loose its knowledge of its base URL and image/css/js files are not referenced correctly. I fixed this adding a base tag in the header but why is the correct base URL lost? Can I do something else than add a base tag?

Also in #PHP _↴

HELP!!!! PHP script to count files in a folder Bold text in php email()e-mail grab and forward?

Success!

Help @Dok spread the word by sharing this article on Twitter...

Tweet This

about: ({
version: 0.1.9 — BETA 5.20,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});

changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...

recent_tips: (
tipper: @AriseFacilitySolutions09,
tipped: article
amount: 1000 SATS,

tipper: @Yussuf4331,
tipped: article
amount: 1000 SATS,

tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,
)...

Prevent direct external download of files

8 Comments(s) _↴

Also in #PHP _↴

Success!

Social

Version

Prevent direct external download of files

8 Comments(s) ↴

Also in #PHP ↴

Success!

The web is an endless sea of information. Don't miss the boat... Subscribe!

Social

Version

8 Comments(s) _↴

Also in #PHP _↴