|
Posted by Gordon Burditt on 12/23/05 04:19
>I know I could use login and check http_referers.
>But when the person gets to download the file then he
>has the direct link to the file so later he doesnt have to
>login anymore.
So make sure the *ONE* and *ONLY* URL that can be used to retrieve
the file checks whether the person is logged in.
>That is when I want to prevent.
>I dont want people to be able to downlaod the file directly
>without being authenticated.
Put the actual file outside the document tree so the web server
will not serve it directly with any URL. Install in the document
tree a PHP page that checks that the user is logged in, then generates
an appropriate content-type header, then serves the file by calling
fpassthru(). The file can be anything you want: image, executable,
virus, .zip, or whatever, and its being binary won't hurt.
This is the URL you give to a user. The user can post it on the
Internet if he wants to, or you can let Google index it, but assuming
you properly wrote your login check, nobody can get the file unless
they are logged in.
I recommend the uses of PHP sessions for handling logins, but there
are other ways that work also.
Gordon L. Burditt
[Back to original message]
|