Jason Motes wrote: >> >> I'm designing a controlled access system in PHP, and it's coming along >> quite well. It's very simple, and just sets a session varibale, such as >> $_SESSION['authenticated'] = 1, not a whole lot. >> >> Now I run a small sniplet of code on the top of each HTML and PHP file, >> which checks for this variable, and either allows or denys access to the >> page. >> >> However, how do people protect against the downloading of real files, >> ones which are not parsed by PHP? .WMV, .MOV, .ZIP, .EXE and so on? I >> want to protect access to these as well, and if a visitor just types in >> a URL and is able to access the file because my access control mechanism >> simply doesn't work on those types of files, what should be the solution >> here? >> >> It's been suggested to use readfile() to accomplish this, by forwarding >> content from outside of the document root - but this just sounds odd. >> On top of being (what I think would be) incredibly slow, it just doesn't >> sound "right". >> > > I had a similar issue. I ended up using a .htaccess so that you could > not open the file directly. If checked for the referrer. This is not > the most secure way to do it. I know it can be spoofed. > > IndexIgnore * > SetEnvIfNoCase Referer "^http://example.com/viewer.php"; local_ref=1 > Order Allow,Deny > Allow from env=local_ref > > Jason Motes > php at imotes.com > Thanks for the reply, Jason - I'd like to keep the application as portable as possible; thus, I cannot use any kind of htaccess hackery because I want this PHP application to run on IIS, as well. Thanks -dant -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
