Solve Anyone Can Download Problem

Posted on 2005-04-19
Last Modified: 2008-03-10
Within a popup, I have created a link to a file which I would like my users to download.  My site also has some crude authentication mechanism but is not a 'secure' site.

Now we find out anybody can just navigate to the URL directly and gain access to the file.

How can I protect the URL from being accessed by just anybody.  The URL represents a file we want the user to download.

Question by:supportoranges
    LVL 53

    Expert Comment

    In the request for the page there is a field "referrer" that contains the url of tthe page where the link was clicked, if the user navigates to your page from the address bar or favorites that field will be blank.

    Jsut test that and don't give them the page if they did not come form your link.

    The actual syntax to test the field depends on the language you do your processing with server side but is generally in a format like if(request.referrer=="")

    LVL 16

    Expert Comment

    The only way to protect against hotlinking is pussting the files where they are not directly accessable and a script that streams the files out to users.

    This is my ASP version of it, but the same idea should work for other server side scripting languages
    If you keep your files in C:\downloadfiles\ and call download.asp?fileloco=pie.exe, this will stream out pie.exe to you
    Because pie.exe isnt in the web root, you cant just download
    If you want only logged in people, use sessions when you login so a session called svLogged is made.
    'redirect non members
    If Session("svLogged") <> 1 then Response.Redirect("/")

    '      Forced Download Script by OliWarner.
    '      Please distribute, but leave these comments in.

    '      FileSizing Function

    Function ShowFileSize(filespec)
        file = filespec
          Set fso = CreateObject("Scripting.FileSystemObject")
          Set f = fso.GetFile(file)
          ShowFileSize = f.Size
          Set fso = Nothing
    End Function

    '      And the beat goes on...

    Response.Buffer = True

    Dim strFilePath, strFileSize, strFileName, DLFile
    Const adTypeBinary = 1

    DLfile = request.querystring("fileloco")
    strFilePath = ("C:\downloadfiles\" & Request.QueryString("fileloco")) 'change this to whereever your files are kept
    strFileSize = ShowFileSize(strFilePath)
    strFileName = DLfile


    Set objStream = Server.CreateObject("ADODB.Stream")
    objStream.Type = adTypeBinary
    objStream.LoadFromFile strFilePath

    strFileType = lcase(Right(strFileName, 4))
        Select Case strFileType
            Case ".asf"
                ContentType = "video/x-ms-asf"
            Case ".avi"
                ContentType = "video/avi"
            Case ".doc"
                ContentType = "application/msword"
            Case ".zip"
                ContentType = "application/zip"
            Case ".xls"
                ContentType = "application/"
            Case ".gif"
                ContentType = "image/gif"
            Case ".jpg", "jpeg"
                ContentType = "image/jpeg"
            Case ".wav"
                ContentType = "audio/wav"
            Case ".mp3"
                ContentType = "audio/mpeg3"
            Case ".mpg", "mpeg"
                ContentType = "video/mpeg"
            Case ".rtf"
                ContentType = "application/rtf"
                Case ".htm", "html"
                ContentType = "text/html"
                Case ".doc"
                ContentType = "text/asp"
            Case Else
                ContentType = "application/octet-stream"
        End Select
          Response.AddHeader "Content-Disposition", "attachment; filename=" & strFileName
          Response.AddHeader "Content-Length", strFileSize

          Response.Charset = "UTF-8"
          Response.ContentType = ContentType
          Response.BinaryWrite objStream.Read

    Set objStream = Nothing
    LVL 16

    Expert Comment

    pussting = putting

    and remember you need an ASP enabled server to do ^^ that.
    LVL 1

    Author Comment

    Thank you but the URL represents just a file to be downloaded like

    There's really not an HTML page, I put the link the the .exe on a popup as insisted by my client.  Pls help.

    LVL 16

    Expert Comment

    I'm suggesting you move your files so they cannot be accessed directly. Only if the person requests files through download.asp
    LVL 1

    Expert Comment

    i had the same acess problem when exporting data via web, to guarantee that only the user whos requesting the file is the only that can get it i append some random numbers to the file name when i export it to the public areas and then give a link to the user so that he/she can download the file, as the directory is NOT BROWSABLE by other users, findin the file would require the GUESS of the correct number.. works pretty good
    LVL 2

    Expert Comment

    Trying to use the Header to get the refering page does not always work.  Often HTTP_REFERER is empty for one or another reasons. It is not reliable.

    The simplest route globally to shure up your members area is to put everything in an "htaccess" folder and manage a password system to allow them in.  This will force users who want to access this area of the site to login.  Hotlinking to filenames will not work with htaccess.

    I agree with Oli Warner to an extent.  Using obfuscation to deliver the file is a good idea (as long as the files are protected)and there is a php example below (very basic).  But its still totally insecure!   All they need to do is follow the link to the file download.  If they can type "download.php?file=foobar.exe"  then thats defeated before it starts without some better kind of safeguard.

    A program like Intellitamper will usually show anyone the directpry and file structure of any website, so hiding things in sneaky folders is pointless.

    HTACCESS will solve all your short term worries with about 5 lines of text and 2 tiny ftp files. I can send you the files for a basic setup by email or post here if it sounds apealing.  

    HTACCESS brings up a Windows/IE password box itself.  No programming is needed. Just 1 file in the directory to protect and 1 password file.  PHP is not required but 'helpful' for managing passwords etc.

    The only problem is that your site may need very slight modification to use the new htaccess members login.

    Can you tell me what you have used to create your site? be it ASP, PHP both or something else?

    //link code

    //download.php basic example
    //scot forshaw

    include("filename"); /* files/hello.exe */


    LVL 1

    Author Comment


     $file =  "/SOMEFOLDER/1/0/5/55/???/user/SOMENUM/XXX/MYCOMNPANY/MYDIR/droppedoff/120000003.exe";
     $fp = fopen($file, "r");
     header("Content-Disposition: attachment; filename=somefile.exe");

     I FOUND THE ABOVE CODE WHICH DOESn"T GIVE A HINT of where somefile.exe comes.  The boss is happy enough with that.  I think OliWarner came the closest.  Maybe it's not a secure site or the ultimate solution but it follows along the lines of obfuscation.  I had no idea prior to this that server side code could generate a popup.  Let me ponder how to split the points for an hour or two while I put that snippet into test.  Thanks to everyone for their quick help.  

    I think perhaps the .htaccess file route may be a problem since the ISP controls the server very tightly.  I'm not counting on their technical assistance for anything anymore and we may be switching ISPs.

    It feels like OliWarner is giving the ASP version of this (our site is in PHP).

    Thanks people.
    LVL 16

    Accepted Solution

    Yes it was the ASP version as you never specified that you needed PHP before I answered =)
    LVL 1

    Author Comment

    Thank you OliWarner.  Your answer led me to the PHP answer.  It also supported me as the boss kept on about how easy it is in Perl (ugh).  

    Doesn't matter the language - you were right on the money.  How amazing a popup can be generated from the server!

    Everyone else thank you for your help.

    Featured Post

    Free Trending Threat Insights Every Day

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    Uploading files to the web server has become common part of almost any kind of web application. People use different technologies to solve this, but regardless of the technology used, it is always useful to have some kind of progress indicator shown…
    Using SQL Scripts we can save all the SQL queries as files that we use very frequently on our database later point of time. This is one of the feature present under SQL Workshop in Oracle Application Express.
    This tutorial walks through the best practices in adding a local business to Google Maps including how to properly search for duplicates, marker placement, and inputing business details. Login to your Google Account, then search for "Google Mapmaker…
    The viewer will learn how to dynamically set the form action using jQuery.

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now