防止直接URL访问文件

Question

Background info:

I am working on a website which will provide image and video content via a subscription service. That is, users should ONLY have access to the image and video content so long as they are logged in successfully. (Note: the log in system uses a combination of MySQL DB - to store the username and password - and php to create new user sessions / authentication etc.)

The problem:

How do I stop a user (logged in or not) from directly accessing the image and video files? For example, a user who is not logged in could access the file directly as follows: www.domain.com/testvideo.mp4 - this would render the video content in the browser for them to watch or share with others. (NOTE: I still need to be able to use / display the image and video files on-site via HTML, CSS, PHP etc)

I have tried several .htaccess solutions (including: RewriteCond/RewriteRule & .htpassword) which have successfully prevented direct access BUT have prevented the ability to use the files on-site via HTML, CSS, PHP etc.

I was thinking that this must be a very common problem and if so, what the best way to resolve it was?

Answer 1

It is a pretty common problem with a pretty common solution. In order to force access control you have to invoke a PHP script before serving the file and verify the credentials. Then, if the credentials are valid, serve the actual file.

You may be tempted to serve the file directly from PHP script using something like readfile . This is going to kill your server performance and break download resuming for the client.

Luckily there is a solution, when you can hand over the actual file serving back to the web-server.

This works as following:

1. The web-server receives the request to /file.mp4 .
2. According to the rewrite rules you've set up it directs it to your PHP script /serve.php instead.
3. Your script verifies the credentials, eg something from the session or cookies.
4. If the credentials are valid, the script issues specially crafted header. It tells the web-server to actually serve the static file. If not, you may as well output a 403 HTTP code.

The example script can be something like:

$file = '/tmp/file.mp4'; // it is in your best interest to make this file  inaccessible for a direct download
header('X-Sendfile: ' . $file);
header('Content-Type: ' . contentType($file));
header('Content-Disposition: inline;');

In order for this to work you'll have to have mod_xsendfile ( https://tn123.org/mod_xsendfile/ ) installed on your Apache, which is probably already the case for your hoster. You'll also have to drop in some lines to configure it and setup a proper rewrite.

You can fine a lot of stuff on Google by issuing "mod_xsendfile php", which might also help a great deal.

Hope that makes sense!

Answer 2

You cannot avoid that as long as your files are publicly available.

The most common way is to not serve the files directly, but to serve them through php so that you can check the users access before you serve the file. And the files can then reside anywhere on the server where the web-server user (www, apache, etc.) has access but the visitor hasn't.

Check the examples in the php manual on readfile and header to see how you can serve a file through php. You will find lots of examples here on SO as well.