Re: Download files outside DocumentRoot Dir

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Ramiro wrote:

Hi,
i'm trying to find a good solution to this problem. I want download files from a directory outside DocumentRoot.
This files cannot be downloaded through direct url like http://site/test.zip. It must be downloaded after user login.
I know i can do that using some functions like fread() + fopen() or readfile(), than i would echo file buffer to browser with correct headers. But, reading then dumping file to browser is a big problem to server.
I've made one test that shows me i will "eat" 1.8% of RAM (i've used "ps aux" at Linux, in a server with 2Gb of RAM) to download a 30Mb file at 60kb/s speed. So, imagine what a dump-php-script can do with 50 to 100 concurrently downloads. Probably i will need 1 TeraByte of RAM to provide downloads ;)
Theres my question now. Is there other way to protect files against direct downloading? (Obligating users to login and denying direct-url's).
I also know i can check referer by using Mod_Rewrite at Apache. But it isn't secure, since referer cannot be sent or be fake. 

Please, help me ;)

Thank you !
--------
Script i used to test:
<?
$url = "test.tar.gz";

header('Content-Description: File Transfer');
header('Content-Type: application/force-download');
header("Content-Disposition: attachment; filename=\"".basename($url)."\";");
header('Content-Length: ' . filesize($url));
@readfile($url) OR die();
?> 

What you can do is put the downloads in a separate directory actually in
your webroot. Then, use a .htaccess file to include a PHP file which
checks for authentication.

ie:

File in : /var/www/htdocs/downloads/file.zip
Accessible by: http://site/downloads/file.zip

.htaccess:

php_value auto_prepend_file "/var/www/htdocs/authenticate.php"

authenticate.php would theoretically have some code to check that the
user is authenticated, and if not, redirect to a login screen before any
headers are sent to the user.

--
Christopher Weldon, ZCE
President & CEO
Cerberus Interactive, Inc.
cweldon@xxxxxxxxxxxxxxxxxx
979.739.5874

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux