|
Hi there, I hope that someone might have an idea or
suggestion to help me here. I have a web application running on Linux in Apache 2,
php5. The application manages a media database that is accessed by
subscription. The content is served off separate Apache servers – some
are located in different geographic regions. All users access the content
by common URL, such as http://www.maindomain.com/123/file.avi I use .htaccess with mod_rewrite to modify the incoming URL
to a PHP script such as http://www.maindomain.com/getfile.php?user=123&file=file.avi This works great and the PHP script is called, logs the
request, checks the user’s subscription rights, and if ok redirects them to the
actual file to obtain by way of a Header() command (ie. Modifies the HTTP
header to do a Location: …. To where the file actually resides). Although this works perfectly, the problem is that the
user’s browser will change to reflect the endpoint URL where the file actually
resides. Users then simply have been cutting & pasting this URL into
their own websites and providing unaudited access to the raw file directly and
bypassing our script. I need to find a way to do this without displaying the
endpoint URL to the user in anyway. But it has to be able to be done
through a PHP script. Clearly Header() in PHP isn’t cutting it. I
also have to use Apache at each endpoint web server location. I’m wondering if anyone has a suggestion on how best to do
this? Can I install something in .htaccess on the endpoint server end to
reject incoming requests that are not via authenticated redirects? Can I
use the HTTP_REFERRER in some way to ensure that what has come to this server
came by way of a legitimate referral? All ideas are greatly appreciated. Thanks Myles |
|