通过PHP脚本进行BASIC身份验证
[英]BASIC Authenticate via PHP script
问题描述
I'm new to this particular subject matter. 
我是这个新主题的新手。 I have spent half a day searching. 我花了半天时间进行搜索。 I can't take it anymore, so here goes... 我受不了了,所以这里...
I'm working on a site that allows users to upload audio files to the server. 我正在一个允许用户将音频文件上传到服务器的网站。 I save these files in a folder within the http document. 我将这些文件保存在http文档的文件夹中。 Users can listen to the audio files they uploaded using jPlayer. 用户可以使用jPlayer收听他们上传的音频文件。
I have protected the folder where I saved the songs in with Apache BASIC Authentication in order prevent direct url access by the public at large. 我已经使用Apache BASIC Authentication保护了保存歌曲的文件夹,以防止整个公众直接访问URL。 But once a user logs in to our web app (using our application's login mechanism), I want that user to have access to the song folder so that he can play his songs (preferrably for the duration of his session). 但是,一旦用户登录到我们的Web应用程序(使用应用程序的登录机制),我希望该用户可以访问歌曲文件夹,以便他可以播放他的歌曲(最好是在会话期间)。
Any leads will be appreciated. 任何线索将不胜感激。 Thanks. 谢谢。
Edit: Just an added note, the basic authentication will be made from a php file that is not located within the songs folder. 编辑:只是一个补充说明,基本身份验证将通过不在歌曲文件夹内的php文件进行。
1 个解决方案
解决方案1
0 2014-02-19 05:17:53
One solution that has worked for me in the past is to use a PHP script to give people access to the files. 过去对我有用的一种解决方案是使用PHP脚本使人们可以访问文件。 Let's call this download.php . 让我们将其称为download.php 。 Instead of giving the logged in user direct access to the actual location of the files, they need to access the files through download.php and send the file name as a $_GET parameter, like: 他们需要直接通过download.php访问文件并将文件名作为$_GET参数发送,而不是授予登录用户直接访问文件的实际位置的权限,例如:
download.php?file=some_awesome_song.mp3 download.php?file = some_awesome_song.mp3
This way, you can control things like, number of downloads remaining, whether they need to wait a certain amount of time before downloading it (like a download countdown on certain sites), to prevent them from accessing files from another user, etc. 这样,您可以控制剩余的下载次数,是否需要等待一定时间才能下载(例如某些站点上的下载倒计时),阻止他们访问其他用户的文件等。
You could also just forget about HTTP authentication and use .htaccess to completely deny access to the directory that the downloads are located with: 您也可能只是忘记了HTTP身份验证,而使用.htaccess完全拒绝访问下载文件所在的目录:
deny from all
or store the files outside of the web root. 或将文件存储在Web根目录之外。
In your PHP do something like this: 在您的PHP中执行以下操作:
<?php
session_start();
// Make sure user is logged in
if (isset($_SESSION['user_id'])) {
die("You are not logged in");
}
// Make sure user has access to download the file
// Replace with your own methods if applicable
if ($_SESSION['user_has_permission_to_download_file'] === false) {
die("You don't have permission to access that file");
}
// Make sure we're not trying to open anything outside of that directory
$filename = basename($_GET['file']);
// Replace with the actual location
$path = '/actual/path/to/file/' . $filename;
if (!file_exists($path)) {
die("The requested file does not exist");
}
if (!is_readable($path)) {
die("Permission denied while trying to open file");
}
$contents = file_get_contents($path);
// Set content type header based on file
header("Content-type: ".finfo_file($path));
echo $contents;
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.