Im building a "premium" section of my site and Im in a need to give download access to files in a remote directly (on a different server), to users with special privileges (accounts stored in mysql db). My site is coded in php/mysql so a php solution would be great.
direct all download links to a php file that'll do all the credential checking.
you can call the file download.php
pass along parameters via cookies, get, post, session, or whichever manner you verify privileges.
once credentials are verified, you can send an appropriate header.
if it's an image, the header would be header("Content-type: image/jpeg");
i'm assuming that you also own this remote server.
some useful links:
As @pxl said, you need to check for authorization and then output the correct mime type as an HTML header (like he said: header("Content-type: image/jpeg");)
Also, once you are done with that, you will need to output the actual contents of the file and it's size (in bytes) as such:
header("Content-Length: ".filesize("FILENAME")*1.001);
/* The *1.001 puts a nice buffer on the filesize, I read about it online.
Browsers will stop downloading exactly at the Content-Length, but if they go
over, it's not a big deal at all. */
readfile("FILENAME");
die();
Just make sure to store the file in a directory that is not accessible from the web.
I'm used to doing this in ASP.NET where it's built in, but this article seems to chronicle your exact situation.
Here's what I would do:
Built a PHP-SOAP-Sever on the remote server B that holds the files.
Whenever a user triggers a download on your main server A connect to the SOAP-Server on B and reserve a ticket for the user specifying an IP-address and the id/path of the file to download.
Server B will now create a ticketId(which should only be valid for a limited time) for this download and return it to A.
Server A redirects the user to Server B supplying the ticketId as a GET parameter
Server B now checks if the ticket was already used, is expired or if the user comes from the wrong IP. If none of them apply serve the file and mark the ticket as used.
Note: On server B don't keep PHP running while serving the file but use the X-Sendfile header instead. Otherwise the download might stop after the PHP max execution time.
来源:https://stackoverflow.com/questions/1550071/how-to-protect-downloadable-files-in-a-remote-directory-from-non-premium-users