|
Posted by Richard Heyes on 10/20/24 11:30
Dan Trainor wrote:
> Hello, all -
>
> I'm designing a controlled access system in PHP, and it's coming along
> quite well. It's very simple, and just sets a session varibale, such as
> $_SESSION['authenticated'] = 1, not a whole lot.
If you do this this, you must make sure you have some sort of session
hijacking prevention in place.
> Now I run a small sniplet of code on the top of each HTML and PHP file,
> which checks for this variable, and either allows or denys access to the
> page.
>
> However, how do people protect against the downloading of real files,
> ones which are not parsed by PHP? .WMV, .MOV, .ZIP, .EXE and so on? I
> want to protect access to these as well, and if a visitor just types in
> a URL and is able to access the file because my access control mechanism
> simply doesn't work on those types of files, what should be the solution
> here?
>
> It's been suggested to use readfile() to accomplish this, by forwarding
> content from outside of the document root - but this just sounds odd.
> On top of being (what I think would be) incredibly slow, it just doesn't
> sound "right".
This works fine for me on one site I maintain, though not with
readfile(). When testing readfile() always crapped out at around 2Mb,
whereas fopen() and a while loop with fread() working perfectly, even
for larger files (up to 200Mb). Not tested this on high traffic, though
it all depends on how large you files are.
--
Richard Heyes
[Back to original message]
|