That's the verification that my layer does. I'm not sure whether that's enough or not. On Sat, May 30, 2009 at 4:43 PM, Michael A. Peters <mpeters@xxxxxxx> wrote: > Nitsan Bin-Nun wrote: > > On Sat, May 30, 2009 at 3:26 PM, Michael A. Peters <mpeters@xxxxxxx<mailto: >> mpeters@xxxxxxx>> wrote: >> >> Nitsan Bin-Nun wrote: >> >> Hi >> >> I have wrote a file uploader in PHP, and I don't want people to >> hijack it >> (get direct links, download whenever they want, etc). >> >> Currently I have placed the uploaded files one directory up from >> the www >> root, and I'm hosting the files mime type in order to serve them >> on the fly. >> >> I'm trying to think how should I secure this website, I don't >> want people to >> get direct links,etc. >> >> Currently the links are being check with the $_SERVER['refer'] >> variables and >> it being compared to the one in my config file. >> >> Any ideas will be very appreciated! Thanks! >> >> >> By the way, does this file serving feature takes a lot of load >> from the >> server? if so then what are the other options? can I serve these >> files w/o >> PHP involved? lets say only by some sort of apache module or >> anything like >> that? >> >> >> What I do - >> >> Files for restricted access are outside the web root. >> php wrapper script verifies the credentials of user to download the >> file (IE via a post token, session ID, etc.) and if allowed, it then >> sends the real file. >> >> I use mod_rewrite (apache) to send requests for the real file to the >> php wrapper script so that the linked file has the same name as the >> real file (lets me use the same wrapper for lots of different files). >> >> As far as load on the server, no - I don't think it costs a lot as >> far as system resources. >> >> >> >> Thank you for the fast answer. >> >> I'm doing the same regarding the php wrapper layer, but the thing is that >> I just don't know what verification exams should I do in the php wrapping >> layer. >> I'm not sure what is the way that it should be done. >> > > I check the referrer, assuming no other credential is required, if it is > from an approved site or not sent (some people disable sending the > http_referrer in their browser), I allow it. Otherwise I don't. >
