Prevent Directory browsing and file retrieval without querystring token
I've got a paid download package that I want to host on a deep folder of one of my webservers. I've turned off directory browsing in .htaccess with the Options -Indexes
But开发者_如何学C I'd also like to further lock down these valuable files by requiring a token be present on the Querystring before the server would let them go.
Is this possible?
Is their a better approach that is free and does not require passwords?
If you link directly to the file, say a zip or exe, it is not possible to protect the file with any querystring tokens.
What you need to do is create a PHP script that fetches the download file from a deep directory (or preferably one outside the web root) and streams it to the user. That way you can request the querystring token, and only execute the script if the token matches. Note that the token is essentially acting as a weak password.
This script will show you how to fetch a pdf from a directory on your webserver. It should be quite easy to request and validate the querystring also:
http://www.finalwebsites.com/forums/topic/php-file-download
Again, you should really store the protected files OUTSIDE the web root. Otherwise, anyone who can work out the direct path can easily bybass your script and download the file directly.
You could check for the query token and redirect to the file if it matches:
<?php
if(isset($_GET['token']) && $_GET['token'] == 42){
header('Location: http://example.com/file.blah');
}
else{
die('sorry!');
}
?>
Please note that this is really week security by obscurity. It won't take much for a user to notice the redirect and hit the file directly.
A better solution would require that you stream the file...as @Ciaran describes (thanks for posting it better and more clearly than I was just about to!).
As @Ciran notes, this isn't very secure, either. If the file isn't very sensitive, it might be "good enough" to just have it expire after some period of time.
精彩评论