How to protect downloadable files in a remote directory from non-premium users (in php?)

天大地大妈咪最大 提交于 2019-12-04 18:46:49

direct all download links to a php file that'll do all the credential checking.

you can call the file download.php

pass along parameters via cookies, get, post, session, or whichever manner you verify privileges.

once credentials are verified, you can send an appropriate header.

if it's an image, the header would be header("Content-type: image/jpeg");

i'm assuming that you also own this remote server.

some useful links:

MIME types

PHP Header Function

As @pxl said, you need to check for authorization and then output the correct mime type as an HTML header (like he said: header("Content-type: image/jpeg");)

Also, once you are done with that, you will need to output the actual contents of the file and it's size (in bytes) as such:

header("Content-Length: ".filesize("FILENAME")*1.001);
/* The *1.001 puts a nice buffer on the filesize, I read about it online.
Browsers will stop downloading exactly at the Content-Length, but if they go
over, it's not a big deal at all. */
readfile("FILENAME");
die();

Just make sure to store the file in a directory that is not accessible from the web.

I'm used to doing this in ASP.NET where it's built in, but this article seems to chronicle your exact situation.

Here's what I would do:

  1. Built a PHP-SOAP-Sever on the remote server B that holds the files.

  2. Whenever a user triggers a download on your main server A connect to the SOAP-Server on B and reserve a ticket for the user specifying an IP-address and the id/path of the file to download.

  3. Server B will now create a ticketId(which should only be valid for a limited time) for this download and return it to A.

  4. Server A redirects the user to Server B supplying the ticketId as a GET parameter

  5. Server B now checks if the ticket was already used, is expired or if the user comes from the wrong IP. If none of them apply serve the file and mark the ticket as used.

Note: On server B don't keep PHP running while serving the file but use the X-Sendfile header instead. Otherwise the download might stop after the PHP max execution time.

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!