How can I protect my site from being leeched?

I am using the header function of PHP to send the file to the browser 开发者_开发技巧with some small code. Its work well and I have it so that if any one requests it with a referer other than my site it redirects to a page first. Unfortunately it's not working with the internet download manager.

What I want to know is how the rabidshare and 4shared sites do this.

You could use sessions to make sure the download is being requested by a valid user.

Not all browsers / softwares that can see web pages will send a Referer to your server. Some sites will make a browser "fingerprint", usually hashed, which might be Referer, User-Agent and a couple of other headers strung together to make a uniquie identifier for that user and thus restrict access as you describe.

Of course, I may have completely missed the point of your post!

A typical design pattern is using a front controller to have a single entry point for all requests. By having a front controller, you can control exactly what the client sees.

You can configure this in Apache so that all requests go through a single file (it's been a while since I've done this because I now concentrate on Java). I think you would need to look at pathinfo documentation for Apache.

This might require a significant change in the rest of your application code. But, the code will be more secure and maintainable in the long run.

I've served images and other binary files through this pattern. This allowed me to easily verify users were authenticated before actually sending them the file. Obfuscation is not security, so if you rely on obfuscating your URL, an attacker may be delayed in getting in, but it is just a matter of time.

Walter

The problem probably is that sending file through php script (with headers you mentioned) doesn't support starting file download at certain position. Download managers use this feature to download file using several simultaneous threads (assuming server gives one thread at certain speed).

For small project I would recommend making a copy of file with unique filename just for download time and redirecting user to this copied file. This way he gets full server download features and it also doesn't load processor as php does. Disadvantages - more disk space required and need to cleanup download directory.