Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Solve Anyone Can Download Problem

Posted on 2005-04-19
Medium Priority
Last Modified: 2008-03-10
Within a popup, I have created a link to a file which I would like my users to download.  My site also has some crude authentication mechanism but is not a 'secure' site.

Now we find out anybody can just navigate to the URL directly and gain access to the file.

How can I protect the URL from being accessed by just anybody.  The URL represents a file we want the user to download.

Question by:supportoranges
LVL 53

Expert Comment

ID: 13814504
In the request for the page there is a field "referrer" that contains the url of tthe page where the link was clicked, if the user navigates to your page from the address bar or favorites that field will be blank.

Jsut test that and don't give them the page if they did not come form your link.

The actual syntax to test the field depends on the language you do your processing with server side but is generally in a format like if(request.referrer=="")

LVL 16

Expert Comment

ID: 13814542
The only way to protect against hotlinking is pussting the files where they are not directly accessable and a script that streams the files out to users.

This is my ASP version of it, but the same idea should work for other server side scripting languages
If you keep your files in C:\downloadfiles\ and call download.asp?fileloco=pie.exe, this will stream out pie.exe to you
Because pie.exe isnt in the web root, you cant just download www.example.com/files/pie.exe
If you want only logged in people, use sessions when you login so a session called svLogged is made.
'redirect non members
If Session("svLogged") <> 1 then Response.Redirect("/")

'      Forced Download Script by OliWarner.
'      Please distribute, but leave these comments in.

'      FileSizing Function

Function ShowFileSize(filespec)
    file = filespec
      Set fso = CreateObject("Scripting.FileSystemObject")
      Set f = fso.GetFile(file)
      ShowFileSize = f.Size
      Set fso = Nothing
End Function

'      And the beat goes on...

Response.Buffer = True

Dim strFilePath, strFileSize, strFileName, DLFile
Const adTypeBinary = 1

DLfile = request.querystring("fileloco")
strFilePath = ("C:\downloadfiles\" & Request.QueryString("fileloco")) 'change this to whereever your files are kept
strFileSize = ShowFileSize(strFilePath)
strFileName = DLfile


Set objStream = Server.CreateObject("ADODB.Stream")
objStream.Type = adTypeBinary
objStream.LoadFromFile strFilePath

strFileType = lcase(Right(strFileName, 4))
    Select Case strFileType
        Case ".asf"
            ContentType = "video/x-ms-asf"
        Case ".avi"
            ContentType = "video/avi"
        Case ".doc"
            ContentType = "application/msword"
        Case ".zip"
            ContentType = "application/zip"
        Case ".xls"
            ContentType = "application/vnd.ms-excel"
        Case ".gif"
            ContentType = "image/gif"
        Case ".jpg", "jpeg"
            ContentType = "image/jpeg"
        Case ".wav"
            ContentType = "audio/wav"
        Case ".mp3"
            ContentType = "audio/mpeg3"
        Case ".mpg", "mpeg"
            ContentType = "video/mpeg"
        Case ".rtf"
            ContentType = "application/rtf"
            Case ".htm", "html"
            ContentType = "text/html"
            Case ".doc"
            ContentType = "text/asp"
        Case Else
            ContentType = "application/octet-stream"
    End Select
      Response.AddHeader "Content-Disposition", "attachment; filename=" & strFileName
      Response.AddHeader "Content-Length", strFileSize

      Response.Charset = "UTF-8"
      Response.ContentType = ContentType
      Response.BinaryWrite objStream.Read

Set objStream = Nothing
LVL 16

Expert Comment

ID: 13814553
pussting = putting

and remember you need an ASP enabled server to do ^^ that.
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 13814554
Thank you but the URL represents just a file to be downloaded like http://www.myweb.com/subweb/23489243.exe.

There's really not an HTML page, I put the link the the .exe on a popup as insisted by my client.  Pls help.

LVL 16

Expert Comment

ID: 13814655
I'm suggesting you move your files so they cannot be accessed directly. Only if the person requests files through download.asp

Expert Comment

ID: 13815629
i had the same acess problem when exporting data via web, to guarantee that only the user whos requesting the file is the only that can get it i append some random numbers to the file name when i export it to the public areas and then give a link to the user so that he/she can download the file, as the directory is NOT BROWSABLE by other users, findin the file would require the GUESS of the correct number.. works pretty good

Expert Comment

ID: 13822382
Trying to use the Header to get the refering page does not always work.  Often HTTP_REFERER is empty for one or another reasons. It is not reliable.

The simplest route globally to shure up your members area is to put everything in an "htaccess" folder and manage a password system to allow them in.  This will force users who want to access this area of the site to login.  Hotlinking to filenames will not work with htaccess.

I agree with Oli Warner to an extent.  Using obfuscation to deliver the file is a good idea (as long as the files are protected)and there is a php example below (very basic).  But its still totally insecure!   All they need to do is follow the link to the file download.  If they can type "download.php?file=foobar.exe"  then thats defeated before it starts without some better kind of safeguard.

A program like Intellitamper will usually show anyone the directpry and file structure of any website, so hiding things in sneaky folders is pointless.

HTACCESS will solve all your short term worries with about 5 lines of text and 2 tiny ftp files. I can send you the files for a basic setup by email or post here if it sounds apealing.  

HTACCESS brings up a Windows/IE password box itself.  No programming is needed. Just 1 file in the directory to protect and 1 password file.  PHP is not required but 'helpful' for managing passwords etc.

The only problem is that your site may need very slight modification to use the new htaccess members login.

Can you tell me what you have used to create your site? be it ASP, PHP both or something else?

//link code

//download.php basic example
//scot forshaw

include("filename"); /* files/hello.exe */



Author Comment

ID: 13823095

 $file =  "/SOMEFOLDER/1/0/5/55/???/user/SOMENUM/XXX/MYCOMNPANY/MYDIR/droppedoff/120000003.exe";
 $fp = fopen($file, "r");
 header("Content-Disposition: attachment; filename=somefile.exe");

 I FOUND THE ABOVE CODE WHICH DOESn"T GIVE A HINT of where somefile.exe comes.  The boss is happy enough with that.  I think OliWarner came the closest.  Maybe it's not a secure site or the ultimate solution but it follows along the lines of obfuscation.  I had no idea prior to this that server side code could generate a popup.  Let me ponder how to split the points for an hour or two while I put that snippet into test.  Thanks to everyone for their quick help.  

I think perhaps the .htaccess file route may be a problem since the ISP controls the server very tightly.  I'm not counting on their technical assistance for anything anymore and we may be switching ISPs.

It feels like OliWarner is giving the ASP version of this (our site is in PHP).

Thanks people.
LVL 16

Accepted Solution

OliWarner earned 2000 total points
ID: 13823113
Yes it was the ASP version as you never specified that you needed PHP before I answered =)

Author Comment

ID: 13823131
Thank you OliWarner.  Your answer led me to the PHP answer.  It also supported me as the boss kept on about how easy it is in Perl (ugh).  

Doesn't matter the language - you were right on the money.  How amazing a popup can be generated from the server!

Everyone else thank you for your help.

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to security, close monitoring is a must. According to WhiteHat Security annual report, a substantial number of all web applications are vulnerable always. Monitis offers a new product - fully-featured Website security monitoring and pr…
Q&A with Course Creator, Mark Lassoff, on the importance of HTML5 in the career of a modern-day developer.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
The is a quite short video tutorial. In this video, I'm going to show you how to create self-host WordPress blog with free hosting service.
Suggested Courses
Course of the Month13 days, 23 hours left to enroll

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question