What do you mean by session variables? I should register a new session and pass it along with the file to the PHP wrapper? On Sat, May 30, 2009 at 10:02 PM, Michael A. Peters <mpeters@xxxxxxx> wrote: > Nitsan Bin-Nun wrote: > >> >> >> On Sat, May 30, 2009 at 7:02 PM, Ashley Sheridan < >> ash@xxxxxxxxxxxxxxxxxxxx <mailto:ash@xxxxxxxxxxxxxxxxxxxx>> wrote: >> >> On Sat, 2009-05-30 at 17:54 +0200, Nitsan Bin-Nun wrote: >> > That's the verification that my layer does. I'm not sure whether >> that's >> > enough or not. >> > >> > On Sat, May 30, 2009 at 4:43 PM, Michael A. Peters >> <mpeters@xxxxxxx <mailto:mpeters@xxxxxxx>> wrote: >> > >> > > Nitsan Bin-Nun wrote: >> > > >> > > On Sat, May 30, 2009 at 3:26 PM, Michael A. Peters >> <mpeters@xxxxxxx <mailto:mpeters@xxxxxxx><mailto: >> >> > >> mpeters@xxxxxxx <mailto:mpeters@xxxxxxx>>> wrote: >> > >> >> > >> Nitsan Bin-Nun wrote: >> > >> >> > >> Hi >> > >> >> > >> I have wrote a file uploader in PHP, and I don't want >> people to >> > >> hijack it >> > >> (get direct links, download whenever they want, etc). >> > >> >> > >> Currently I have placed the uploaded files one >> directory up from >> > >> the www >> > >> root, and I'm hosting the files mime type in order to >> serve them >> > >> on the fly. >> > >> >> > >> I'm trying to think how should I secure this website, I >> don't >> > >> want people to >> > >> get direct links,etc. >> > >> >> > >> Currently the links are being check with the >> $_SERVER['refer'] >> > >> variables and >> > >> it being compared to the one in my config file. >> > >> >> > >> Any ideas will be very appreciated! Thanks! >> > >> >> > >> >> > >> By the way, does this file serving feature takes a lot >> of load >> > >> from the >> > >> server? if so then what are the other options? can I >> serve these >> > >> files w/o >> > >> PHP involved? lets say only by some sort of apache >> module or >> > >> anything like >> > >> that? >> > >> >> > >> >> > >> What I do - >> > >> >> > >> Files for restricted access are outside the web root. >> > >> php wrapper script verifies the credentials of user to >> download the >> > >> file (IE via a post token, session ID, etc.) and if >> allowed, it then >> > >> sends the real file. >> > >> >> > >> I use mod_rewrite (apache) to send requests for the real >> file to the >> > >> php wrapper script so that the linked file has the same >> name as the >> > >> real file (lets me use the same wrapper for lots of >> different files). >> > >> >> > >> As far as load on the server, no - I don't think it costs a >> lot as >> > >> far as system resources. >> > >> >> > >> >> > >> >> > >> Thank you for the fast answer. >> > >> >> > >> I'm doing the same regarding the php wrapper layer, but the >> thing is that >> > >> I just don't know what verification exams should I do in the >> php wrapping >> > >> layer. >> > >> I'm not sure what is the way that it should be done. >> > >> >> > > >> > > I check the referrer, assuming no other credential is required, >> if it is >> > > from an approved site or not sent (some people disable sending the >> > > http_referrer in their browser), I allow it. Otherwise I don't. >> > > >> That should be fine for downloading files. There will be an issue if >> they are media files and you want to play them from a browser plugin, >> as >> no plugin I've ever seen actually passes the referrer header. >> >> >> Ash >> www.ashleysheridan.co.uk <http://www.ashleysheridan.co.uk> >> >> >> >> I'm sending downloading headers, there will be no options of playing it >> from the browser's plugin. >> Thank you both for your comments. I have decided that referrer check is >> enough for now :) >> >> Nitsan >> >> > If you really want to be sure, you can use session variables with a > download wrapper. >
