堆栈内存溢出
  简体   繁体   English

如何在不暴露物理路径的情况下在线提供可下载文件?

[英]How do I serve a downloadable file online without exposing the physical path?

 原文  2009-05-15 15:13:58       c#/ php/ asp-classic

问题描述

I'm serving up documents that require the user to register before download. 我正在提供要求用户在下载前注册的文档。 Currently, once you register and login, the links to the documents are displayed as: 目前,一旦注册并登录,文档的链接显示为: 

myurl.com/docs/mypdf.pdf

So the physical path to the document is exposed to anyone logged in. What is the best practice for keeping the physical path to the document hidden so registered users can't share direct links with unregistered users or post direct links to the documents elsewhere? 因此,文档的物理路径会向登录的任何人公开。保持文档的物理路径隐藏的最佳做法是什么,以便注册用户无法与未注册用户共享直接链接或在其他地方发布直接链接到文档?

EDIT: I was just looking for an idea that was language agnostic so I chose a few of my favorite languages for the tags. 编辑:我只是在寻找与语言无关的想法,所以我选择了一些我最喜欢的语言作为标签。 The actual implementation in this case is ASP classic. 这种情况下的实际实现是ASP经典。 I'm currently using a download wrapper script that confirms the user is logged in before redirecting to the actual document URL. 我目前正在使用下载包装器脚本,该脚本确认用户在重定向到实际文档URL之前已登录。 I just didn't include it in my question for simplicity. 为简单起见,我只是没有把它包含在我的问题中。

8 个解决方案

解决方案1
 11 已采纳  2009-05-15 15:18:52

Don't do that. 不要那样做。 Instead keep the files somewhere outside the document tree and then make them accessible using a script (eg, php, .Net, whatever) 而是将文件保存在文档树之外的某个位置,然后使用脚本(例如,php,.Net,等等)使它们可访问

The script can check if they are logged in, validate if they are allowed the file, and if so return it. 该脚本可以检查它们是否已登录,验证是否允许该文件,如果是,则返回该文件。 The path they go to might look more like this... /download.php?file=mypdf.pdf 他们去的路径看起来可能更像...... /download.php?file=mypdf.pdf

Something along the lines of... 有点...... 

<?php
if (IsUserLoggedIn())
    readfile('/secret/path/to/file/mypdf.pdf');
?>

解决方案2
 8  2009-05-15 15:17:49

The best way is to read the file up from a non-web accessible path and write it to the output stream. 最好的方法是从非Web可访问路径读取文件并将其写入输出流。

This seemed to show an OK example in php which you seemed to be using? 这似乎在你似乎使用的php中显示了一个好的例子? Just add security check to top of php and kick them out if they are not authorized. 只需在php的顶部添加安全检查,如果未经授权,请将其删除。

http://www.higherpass.com/php/Tutorials/File-Download-Security/ http://www.higherpass.com/php/Tutorials/File-Download-Security/

解决方案3
 1  2009-05-15 15:17:56

the best way to do that is to use a php/asp or serverside scripting file that reads the document a location that isnt available to the outside 最好的方法是使用php / asp或serverside脚本文件,将文档读取到外部不可用的位置

that file then can check if the user is logged in and it can also hide the path to the physical file 然后该文件可以检查用户是否已登录,并且还可以隐藏物理文件的路径

so the url would be www.yourwebsite.com/file.php?file=image.png 所以网址是www.yourwebsite.com/file.php?file=image.png

file.php would verify that the user is logged in then it would read the file or redirect them to the login page file.php将验证用户是否已登录,然后它将读取该文件或将其重定向到登录页面

解决方案4
 1  2009-05-15 15:24:20

What you want to do is create a PHP page that does two things: 你想要做的是创建一个PHP页面,它做两件事:

  1. authenticate the user that is making the request 验证发出请求的用户
  2. stream the file to the client 将文件传输到客户端

This link will help with streams. 链接将有助于流。 And this code may be helpful: 这段代码可能会有所帮助: 

header("Content-Disposition: attachment; filename=$name of pdf that you want to download");
header("Content-Type: application/pdf");
header("Content-Length: ".filesize("$location of pdf/$name of pdf that you want to download"));
header("Pragma: no-cache");
header("Expires: 0");
$fp=fopen("$location of pdf/$name of pdf that you want to download","r");
print fread($fp,filesize("$location of pdf/$name of pdf that you want to download"));
fclose($fp);
exit();

Saw this in a discussion here . 这里的讨论中看到了这一点

解决方案5
 1  2009-05-18 17:10:32

I had a similar problem many moons ago in classic ASP. 在经典的ASP中,我在很多个月前遇到过类似的问题。

Kept files in a directory outside of the webroot. 将文件保存在webroot之外的目录中。

Upon verification, sent the file via ADODB.Stream, and then checked the file extension to make sure i had the proper mime-type set. 验证后,通过ADODB.Stream发送文件,然后检查文件扩展名以确保我有正确的mime类型集。

解决方案6
 0  2009-05-15 15:18:28

It's not clear if you're using ASP.NET, ASP.NET MVC or something else. 目前尚不清楚你是使用ASP.NET,ASP.NET MVC还是其他东西。 However, this post... 不过,这篇帖子......

How can I present a file for download from an MVC controller? 如何从MVC控制器提供要下载的文件?

... shows how to programatically return a file to the user using ASP.NET (the question shows the ASP.NET way, the answers show the MVC way). ...显示如何使用ASP.NET以编程方式将文件返回给用户(问题显示ASP.NET方式,答案显示MVC方式)。

THis would allow the physical files to be in a folder not otherwise accessible to the user, and would allow you to add validation prior to returning the document to ensure that the user was registered etc. 这将允许物理文件位于用户无法访问的文件夹中,并允许您在返回文档之前添加验证以确保用户已注册等。

If you're at a stage in your development where it's not too late to use ASP.NET MVC then do so. 如果您正处于开发阶段,那么使用ASP.NET MVC还为时不晚。 This scenario (serving up a file) becomes a one-liner, and so many other things will be easier (in particular, the testing of your app). 这种情况(提供文件)变成一个单行,而且许多其他事情将更容易(特别是,您的应用程序的测试)。

解决方案7
 0  2009-05-15 15:19:47

You could use a IHttpHandler in .net, although you need wildcard access in IIS. 虽然在IIS中需要通配符访问,但可以在.net中使用IHttpHandler You could use a session based handler. 您可以使用基于会话的处理程序。

解决方案8
 0  2009-05-15 15:32:46

  1. Use a script for access control 使用脚本进行访问控制

    Make a script like myurl.com/file.php?docs/mypdf.pdf which checks that the user has rights to access the file. 制作像myurl.com/file.php?docs/mypdf.pdf这样的脚本,检查用户是否有权访问该文件。 The script will fetch the file from a place that is not visible to the web. 该脚本将从Web不可见的位置获取文件。

  2. (Optional) Use mod_rewrite to make your urls look nice, and redirect user to the file.php script. (可选)使用mod_rewrite使您的网址看起来不错,并将用户重定向到file.php脚本。 Something like: 就像是:

    RewriteCond docs/%{REQUEST_FILENAME} !-f RewriteCond docs /%{REQUEST_FILENAME}!-f

    RewriteRule ^(.*)$ file.php/$1 [QSA,L] RewriteRule ^(。*)$ file.php / $ 1 [QSA,L]

    This will redirect /docs/mypdf.pdf to /file.php?docs/mypdf.pdf but look nicer for the user. 这会将/docs/mypdf.pdf重定向到/file.php?docs/mypdf.pdf,但对用户来说看起来更好。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何在没有HttpContext的情况下确定文件的物理路径? - How do you determine the physical path of a file without an HttpContext? 如何将文件在线上传到文件夹而不会出现“对路径的访问被拒绝” - How Do I Upload a File To a Folder Online Without Getting "Access to the path is denied" 如何在没有物理文件路径的情况下将文件附加到TFS中的工作项? - How to attach a file to work item in TFS without physical file path? 如何在不显示物理路径的情况下显示文件夹中的文件? - How to display a file in a folder without showing physical path? 如何以编程方式设置此 xml 文件的物理路径? - How can I set the physical path of this xml file programmatically? 如何在没有 WWWROOT 的情况下使用 ASP.NET 在我的 Web 应用程序中提供 html 文件? - How do I serve an html file in my Web App with ASP.NET without the WWWROOT? 如何在没有控制器的 Razor 页面中找到 wwwroot 的物理路径? - How can I find the physical path of wwwroot, in a Razor page without a controller? 如何在不暴露明文的情况下在网络上传输SecureString(或类似文件)? - How do I transmit a SecureString (or similar) across the network without exposing the plaintext? 物理文件路径 - Physical File Path 如何链接到ASP.NET MVC中的可下载文件? - How do I link to downloadable files in ASP.NET MVC?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM