How to protect downloadable files in a remote directory from non-premium users (in php?)

扶醉桌前 提交于 2019-12-09 23:27:38

问题


Im building a "premium" section of my site and Im in a need to give download access to files in a remote directly (on a different server), to users with special privileges (accounts stored in mysql db). My site is coded in php/mysql so a php solution would be great.


回答1:


direct all download links to a php file that'll do all the credential checking.

you can call the file download.php

pass along parameters via cookies, get, post, session, or whichever manner you verify privileges.

once credentials are verified, you can send an appropriate header.

if it's an image, the header would be header("Content-type: image/jpeg");

i'm assuming that you also own this remote server.

some useful links:

MIME types

PHP Header Function




回答2:


As @pxl said, you need to check for authorization and then output the correct mime type as an HTML header (like he said: header("Content-type: image/jpeg");)

Also, once you are done with that, you will need to output the actual contents of the file and it's size (in bytes) as such:

header("Content-Length: ".filesize("FILENAME")*1.001);
/* The *1.001 puts a nice buffer on the filesize, I read about it online.
Browsers will stop downloading exactly at the Content-Length, but if they go
over, it's not a big deal at all. */
readfile("FILENAME");
die();

Just make sure to store the file in a directory that is not accessible from the web.




回答3:


I'm used to doing this in ASP.NET where it's built in, but this article seems to chronicle your exact situation.




回答4:


Here's what I would do:

  1. Built a PHP-SOAP-Sever on the remote server B that holds the files.

  2. Whenever a user triggers a download on your main server A connect to the SOAP-Server on B and reserve a ticket for the user specifying an IP-address and the id/path of the file to download.

  3. Server B will now create a ticketId(which should only be valid for a limited time) for this download and return it to A.

  4. Server A redirects the user to Server B supplying the ticketId as a GET parameter

  5. Server B now checks if the ticket was already used, is expired or if the user comes from the wrong IP. If none of them apply serve the file and mark the ticket as used.

Note: On server B don't keep PHP running while serving the file but use the X-Sendfile header instead. Otherwise the download might stop after the PHP max execution time.



来源:https://stackoverflow.com/questions/1550071/how-to-protect-downloadable-files-in-a-remote-directory-from-non-premium-users

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!