Posted by Dan Trainor on 10/20/79 11:30

Jason Motes wrote:
>>
>> I'm designing a controlled access system in PHP, and it's coming along
>> quite well. It's very simple, and just sets a session varibale, such as
>> $_SESSION['authenticated'] = 1, not a whole lot.
>>
>> Now I run a small sniplet of code on the top of each HTML and PHP file,
>> which checks for this variable, and either allows or denys access to the
>> page.
>>
>> However, how do people protect against the downloading of real files,
>> ones which are not parsed by PHP? .WMV, .MOV, .ZIP, .EXE and so on? I
>> want to protect access to these as well, and if a visitor just types in
>> a URL and is able to access the file because my access control mechanism
>> simply doesn't work on those types of files, what should be the solution
>> here?
>>
>> It's been suggested to use readfile() to accomplish this, by forwarding
>> content from outside of the document root - but this just sounds odd.
>> On top of being (what I think would be) incredibly slow, it just doesn't
>> sound "right".
>>
>
> I had a similar issue. I ended up using a .htaccess so that you could
> not open the file directly. If checked for the referrer. This is not
> the most secure way to do it. I know it can be spoofed.
>
> IndexIgnore *
> SetEnvIfNoCase Referer "^http://example.com/viewer.php" local_ref=1
> Order Allow,Deny
> Allow from env=local_ref
>
> Jason Motes
> php at imotes.com
>

Thanks for the reply, Jason -

I'd like to keep the application as portable as possible; thus, I cannot
use any kind of htaccess hackery because I want this PHP application to
run on IIS, as well.

Thanks
-dant

[Back to original message]