Downloadable File Protection
by jandrews on Apr.08, 2010, under Web Development
We are going to talk today about protecting files, and allowing access to them through some kind of authentication scheme. Let’s say you have a website that has a membership area. This membership area allows for a user to log in and view content such as pdfs and spreadsheets and word documents. The issue that any website may fall into is that these documents by default aren’t protected. Anyone who has the URL of the file can access it. Therefore you really should find some way of protecting it.
The first thing you should do is keep the web server from showing a directory listing. This is just proper security from the get go. It can be dangerous to let this information be available. With apache this is done either in the httpd.conf or in the .htaccess file.
Options Indexes FollowSymLinks
The above code tells apache to show Indexes. Removing this from your httpd.conf or redefining it in the .htaccess file will resolve the problem.
Options FollowSymLinks
My preferred method of file protection is to not store these files in a publicly accessible directory, and instead create a file that can access them. This gives me all the control I want. I can detect if someone is logged in, I can also define permissions for files, so if someone is logged in but doesn’t have proper credentials to access a file then I can send them to the proper location.
<?php
// Where are files are stored.
$storageDir = "/some/path/to/store/files";
// get the file name from the querystring.
$fileName = $_REQUEST['file'];
// Check if the file exists if not redirect to denial page.
if(!file_exists($storageDir . '/' . $fileName)) header("Location: /denied.php\n\n");
// put what ever other detection you want here. Check for login etc....
// If we haven't redirected to a denied page we can send them the content.
// Important headers to set so we can force the download.
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename='. $fileName);
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
header('Content-Length: ' . filesize($storageDir . '/' . $fileName));
ob_clean();
flush();
readfile($fileName);
exit;
?>
Now when a file is requested if it exists and meets all the standards you have requested it will allow to download.
Now let’s say you don’t have php on the server, or asp or ruby or python…. I know highly unlikely, but it could happen. Or say you have a website where you have already linked 1000 of these files, and using the above method would cause you to have quite a bit of work. You could use mod rewrite to protect the files using 2 different methods.
The first is detecting the http referer. By detecting the refering page URL you are basically telling the server to only allow access to the files from the pages and not directly from the URL. If the pages that the files are linked to are secured via an authentication scheme then bingo the access to the files are protected.
What we are doing here is using mod_rewrite to detect if the referer is empty. If it is then we redirect them to a page telling them that it is unaccessable.
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^$
RewriteRule /* http://mydomain.com/denied.html
The second is to use mod_rewrite to detect if a specific cookie is set a specific way. Here we test to see if a specific cookie is set to true. You could also write the expression just to see if it exists. If it doesn’t then you are denied.
RewriteEngine On
RewriteCond %{HTTP_COOKIE} !^mycookie=true$
RewriteRule /* http://mydomain.com/denied.html
These are just a few examples of how you can prevent access to files, and keep your important documents safe from those who may not have paid access to them, or who you don’t want to have access.
