stackoom
  简体   繁体   中英

How do I serve a downloadable file online without exposing the physical path?

 原文  2009-05-15 15:13:58       c#/ php/ asp-classic

Question

I'm serving up documents that require the user to register before download. Currently, once you register and login, the links to the documents are displayed as: 

myurl.com/docs/mypdf.pdf

So the physical path to the document is exposed to anyone logged in. What is the best practice for keeping the physical path to the document hidden so registered users can't share direct links with unregistered users or post direct links to the documents elsewhere?

EDIT: I was just looking for an idea that was language agnostic so I chose a few of my favorite languages for the tags. The actual implementation in this case is ASP classic. I'm currently using a download wrapper script that confirms the user is logged in before redirecting to the actual document URL. I just didn't include it in my question for simplicity.

8 answers

solution1
 11 ACCPTED  2009-05-15 15:18:52

Don't do that. Instead keep the files somewhere outside the document tree and then make them accessible using a script (eg, php, .Net, whatever)

The script can check if they are logged in, validate if they are allowed the file, and if so return it. The path they go to might look more like this... /download.php?file=mypdf.pdf

Something along the lines of... 

<?php
if (IsUserLoggedIn())
    readfile('/secret/path/to/file/mypdf.pdf');
?>

solution2
 8  2009-05-15 15:17:49

The best way is to read the file up from a non-web accessible path and write it to the output stream.

This seemed to show an OK example in php which you seemed to be using? Just add security check to top of php and kick them out if they are not authorized.

http://www.higherpass.com/php/Tutorials/File-Download-Security/

solution3
 1  2009-05-15 15:17:56

the best way to do that is to use a php/asp or serverside scripting file that reads the document a location that isnt available to the outside

that file then can check if the user is logged in and it can also hide the path to the physical file

so the url would be www.yourwebsite.com/file.php?file=image.png

file.php would verify that the user is logged in then it would read the file or redirect them to the login page

solution4
 1  2009-05-15 15:24:20

What you want to do is create a PHP page that does two things:

  1. authenticate the user that is making the request
  2. stream the file to the client

This link will help with streams. And this code may be helpful: 

header("Content-Disposition: attachment; filename=$name of pdf that you want to download");
header("Content-Type: application/pdf");
header("Content-Length: ".filesize("$location of pdf/$name of pdf that you want to download"));
header("Pragma: no-cache");
header("Expires: 0");
$fp=fopen("$location of pdf/$name of pdf that you want to download","r");
print fread($fp,filesize("$location of pdf/$name of pdf that you want to download"));
fclose($fp);
exit();

Saw this in a discussion here .

solution5
 1  2009-05-18 17:10:32

I had a similar problem many moons ago in classic ASP.

Kept files in a directory outside of the webroot.

Upon verification, sent the file via ADODB.Stream, and then checked the file extension to make sure i had the proper mime-type set.

solution6
 0  2009-05-15 15:18:28

It's not clear if you're using ASP.NET, ASP.NET MVC or something else. However, this post...

How can I present a file for download from an MVC controller?

... shows how to programatically return a file to the user using ASP.NET (the question shows the ASP.NET way, the answers show the MVC way).

THis would allow the physical files to be in a folder not otherwise accessible to the user, and would allow you to add validation prior to returning the document to ensure that the user was registered etc.

If you're at a stage in your development where it's not too late to use ASP.NET MVC then do so. This scenario (serving up a file) becomes a one-liner, and so many other things will be easier (in particular, the testing of your app).

solution7
 0  2009-05-15 15:19:47

You could use a IHttpHandler in .net, although you need wildcard access in IIS. You could use a session based handler.

solution8
 0  2009-05-15 15:32:46

  1. Use a script for access control

    Make a script like myurl.com/file.php?docs/mypdf.pdf which checks that the user has rights to access the file. The script will fetch the file from a place that is not visible to the web.

  2. (Optional) Use mod_rewrite to make your urls look nice, and redirect user to the file.php script. Something like:

    RewriteCond docs/%{REQUEST_FILENAME} !-f

    RewriteRule ^(.*)$ file.php/$1 [QSA,L]

    This will redirect /docs/mypdf.pdf to /file.php?docs/mypdf.pdf but look nicer for the user.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How do you determine the physical path of a file without an HttpContext? How Do I Upload a File To a Folder Online Without Getting "Access to the path is denied" How to attach a file to work item in TFS without physical file path? How to display a file in a folder without showing physical path? How can I set the physical path of this xml file programmatically? How do I serve an html file in my Web App with ASP.NET without the WWWROOT? How can I find the physical path of wwwroot, in a Razor page without a controller? How do I transmit a SecureString (or similar) across the network without exposing the plaintext? Physical File Path How do I link to downloadable files in ASP.NET MVC?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM