/    Sign up×
Community /Pin to ProfileBookmark

How to prevent direct download to file?

Copy linkTweet thisAlerts:
Aug 19.2013

[B]Hi all,,[/B]

I need to make a link to download a file .. But only Authorized persons can download it.

The problem is that any body can wirte the direct link for that file and download it.. How to prevent that?

to post a comment
PHP

6 Comments(s)

Copy linkTweet thisAlerts:
@theyokerAug 19.2013 — Can't you use a session on the page so you'll need a login and password to access the page.

Use SHA1 to hash the password. And http://www.w3schools.com/php/php_sessions.asp.

This will only work if you want like one or two people to be able to access it all you have to do is tell them the details.

As for PHP security I'm sure MD5 is not be to be used. Theres probably a better way than the way above that someone on here is bound to know.
Copy linkTweet thisAlerts:
@rootAug 19.2013 — You have a database and use a serverside to show the link to those authorised to download it.
Copy linkTweet thisAlerts:
@NogDogAug 20.2013 — Generally you need a file-server script that will validate the user is logged in and has access to that file, and then serves up the file by reading it from disk (e.g. readfile() or from the DB if you prefer). If doing a readfile(), you can simply put the file(s) outside of the web document root directory tree, so no one can access it via HTTP (or you can have it in the web root but use .htaccess to prohibit access). You might still use a DB to record meta-data about the files, including file names, directories, and types. Then the download link would point to the file-server script, which validates the user and the input (e.g. ?file=some_id_here), and if everything is okay, use header() to set some file-type headers and such, the readfile() the desired file path-name extracted from the DB.
Copy linkTweet thisAlerts:
@rootAug 20.2013 — You could if you don't wish to have a login scenario, you could have a database that is used to store hash keys.

The person rolls up to your website and is asked to provide an email address and if you want a pin number to access the file.

Your system generates a hash key, stores it with the email in the database.

You then have a script generate a URL using the hash key and that then gets emailed to the user.

They then get an email with the URL to the file, that download script than asks the user to validate their email and supply a pin if generated.

The download then starts.

You then have the hash tag and email deleted from the database which then renders that link useless and the person then has to provide email to get a hash key which can be as simple as the users email address + the PHP time() functions value.
Copy linkTweet thisAlerts:
@gracerivasAug 22.2013 — You may want to try PHP HTTP Authentication. http://php.net/manual/en/features.http-auth.php
Copy linkTweet thisAlerts:
@rootAug 22.2013 — You may want to try PHP HTTP Authentication. http://php.net/manual/en/features.http-auth.php[/QUOTE]

Thats fine if you want to have a user log in but you need something to test it against which implies that the person visiting has an account.

The same can be achieved in Apache servers .htaccess

you can achieve the same with simple javascript but that has the vulnerability of being bypassed by browsers that don't use javascript because they either don't have it or it has been disabled.

I have been fleshing out a system which when a request for a file is made, the system asks for an email address, it generates a hash, URL and sends an email to the address and the user then clicks the link in the email and punches in the PIN number and or email address used to obtain the link and the whole thing is one time use.

Then any file request is not hot link-able.
×

Success!

Help @gemswebs spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 5.3,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @Yussuf4331,
tipped: article
amount: 1000 SATS,

tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,

tipper: @Samric24,
tipped: article
amount: 1000 SATS,
)...