How to prevent non members from directly accessing private content with PHP

Question

I am aware of the .htaccess Apache method of protecting folders from non members but am wondering how it can be done with PHP only.

Checking for session variables can protect php pages but direct access to photos and or pdfs seem to sometimes be overlooked. For example if I copy a direct link to a photo from facebook, logout, then direct my browser to the url of the photo it shows no problem.

How to sites like Rapidshare protect against direct access to their content?

I know there's a way to set variables in Apache. Maybe there's a way to check for session variables with Apache?

Answer 1

From the questions and comments, it seems that you are after URLs that look like direct access, but pass through a PHP script to allow for authorization to download them. I don't know your current directory structure, so I'm going to make one up for this answer's test case - albeit a small listing:

public-html/
    content/        <- where the actual files are
        .htaccess   <- to deny access to the directory
    .htaccess       <- the one created here
    download.php    <- download script

From this, we are going to assume all the files are located in /content and the "direct link" will look like it is going to /file

The /content/.htaccess :

deny from all

The next one with the note that the first RewriteRule is so that normal files that already exist won't be overwritten, and the previous .htaccess prevent files in that directory from being accessed. If you have an .htaccess that you are using already, the important rule is the last one, and it stops processing if it matches, so place it accordingly in your existing .htaccess .

/.htaccess :

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_FILENAME} -s [OR]
    RewriteCond %{REQUEST_FILENAME} -l [OR]
    RewriteCond %{REQUEST_FILENAME} -d
    RewriteRule ^.*$ - [NC,L]

    RewriteRule ^file/(.+)$ download.php?file=$1 [L]
</IfModule>

With that in place, it will look like direct access to a file if going to /file/myDocument.pdf , and it will be sent to the script like download.php?file=myDocument.pdf .

From there, it is a matter of creating the download script to use. The one I am posting is a modified version of one from Armand Niculescu found here . I am only posting the relevant parts here ( the entirety can be found on PasteBin where you can modify the parts posted here to fit your needs):

/******************************
 * PERFORM AUTHORIZATION HERE *
 *   The following is added   *
 ******************************/
if($_SESSION['validated'] !== true) {
    //Not authorized to download, send header and exit
    header("HTTP/1.0 401 Unauthorized");
    exit;
}

I have also made another minor edit for the correct file path 8 lines down:

$file_path  = './content/' . $file_name;

And that concludes this small example of how to get a working download script and making it look like direct file access.

Answer 2

From your question I get that you already know how to protect folders from direct access and also how to protect php scripts. So what you need is a protected php script providing indirect access to the files (as was already mentioned in the comments).

When creating this download script you should remember some important details:

• provide the mime type. In many cases header("Content-Type: application/octet-stream") is sufficient, though
• tell the client to download the file (instead of displaying it) and provide a filename: header('Content-Disposition: attachment; filename="' . basename($path) . '"')
• provide the file size: header("Content-Length: " . filesize($path));

• to avoid problems with large files you should use something like the following instead of readfile :

   $file = fopen($path, 'r'); flush(); while (!feof($file)) { print(fread($file, 4096)); flush(); } fclose($file);