|
|
Posted by Jason Motes on 10/02/71 11:30
>
> I'm designing a controlled access system in PHP, and it's coming along
> quite well. It's very simple, and just sets a session varibale, such as
> $_SESSION['authenticated'] = 1, not a whole lot.
>
> Now I run a small sniplet of code on the top of each HTML and PHP file,
> which checks for this variable, and either allows or denys access to the
> page.
>
> However, how do people protect against the downloading of real files,
> ones which are not parsed by PHP? .WMV, .MOV, .ZIP, .EXE and so on? I
> want to protect access to these as well, and if a visitor just types in
> a URL and is able to access the file because my access control mechanism
> simply doesn't work on those types of files, what should be the solution
> here?
>
> It's been suggested to use readfile() to accomplish this, by forwarding
> content from outside of the document root - but this just sounds odd.
> On top of being (what I think would be) incredibly slow, it just doesn't
> sound "right".
>
I had a similar issue. I ended up using a .htaccess so that you could
not open the file directly. If checked for the referrer. This is not
the most secure way to do it. I know it can be spoofed.
IndexIgnore *
SetEnvIfNoCase Referer "^http://example.com/viewer.php" local_ref=1
Order Allow,Deny
Allow from env=local_ref
Jason Motes
php at imotes.com
Navigation:
[Reply to this message]
|