Solve Anyone Can Download Problem

Within a popup, I have created a link to a file which I would like my users to download.  My site also has some crude authentication mechanism but is not a 'secure' site.

Now we find out anybody can just navigate to the URL directly and gain access to the file.

How can I protect the URL from being accessed by just anybody.  The URL represents a file we want the user to download.

LVL 1
supportorangesAsked:
Who is Participating?
 
OliWarnerCommented:
Yes it was the ASP version as you never specified that you needed PHP before I answered =)
0
 
COBOLdinosaurCommented:
In the request for the page there is a field "referrer" that contains the url of tthe page where the link was clicked, if the user navigates to your page from the address bar or favorites that field will be blank.

Jsut test that and don't give them the page if they did not come form your link.

The actual syntax to test the field depends on the language you do your processing with server side but is generally in a format like if(request.referrer=="")

Cd&
0
 
OliWarnerCommented:
The only way to protect against hotlinking is pussting the files where they are not directly accessable and a script that streams the files out to users.

This is my ASP version of it, but the same idea should work for other server side scripting languages
If you keep your files in C:\downloadfiles\ and call download.asp?fileloco=pie.exe, this will stream out pie.exe to you
Because pie.exe isnt in the web root, you cant just download www.example.com/files/pie.exe
If you want only logged in people, use sessions when you login so a session called svLogged is made.
<%
'redirect non members
If Session("svLogged") <> 1 then Response.Redirect("/")

'      Forced Download Script by OliWarner.
'      Please distribute, but leave these comments in.

'      FileSizing Function

Function ShowFileSize(filespec)
    file = filespec
      Set fso = CreateObject("Scripting.FileSystemObject")
      Set f = fso.GetFile(file)
      ShowFileSize = f.Size
      Set fso = Nothing
End Function

'      And the beat goes on...

Response.Buffer = True

Dim strFilePath, strFileSize, strFileName, DLFile
Const adTypeBinary = 1

DLfile = request.querystring("fileloco")
strFilePath = ("C:\downloadfiles\" & Request.QueryString("fileloco")) 'change this to whereever your files are kept
strFileSize = ShowFileSize(strFilePath)
strFileName = DLfile

Response.Clear

Set objStream = Server.CreateObject("ADODB.Stream")
objStream.Open
objStream.Type = adTypeBinary
objStream.LoadFromFile strFilePath

strFileType = lcase(Right(strFileName, 4))
   
    Select Case strFileType
        Case ".asf"
            ContentType = "video/x-ms-asf"
        Case ".avi"
            ContentType = "video/avi"
        Case ".doc"
            ContentType = "application/msword"
        Case ".zip"
            ContentType = "application/zip"
        Case ".xls"
            ContentType = "application/vnd.ms-excel"
        Case ".gif"
            ContentType = "image/gif"
        Case ".jpg", "jpeg"
            ContentType = "image/jpeg"
        Case ".wav"
            ContentType = "audio/wav"
        Case ".mp3"
            ContentType = "audio/mpeg3"
        Case ".mpg", "mpeg"
            ContentType = "video/mpeg"
        Case ".rtf"
            ContentType = "application/rtf"
            Case ".htm", "html"
            ContentType = "text/html"
            Case ".doc"
            ContentType = "text/asp"
        Case Else
            ContentType = "application/octet-stream"
    End Select
      
      
      Response.AddHeader "Content-Disposition", "attachment; filename=" & strFileName
      Response.AddHeader "Content-Length", strFileSize

      Response.Charset = "UTF-8"
      Response.ContentType = ContentType
      
      Response.BinaryWrite objStream.Read
      Response.Flush

objStream.Close
Set objStream = Nothing
%>
0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

 
OliWarnerCommented:
pussting = putting

and remember you need an ASP enabled server to do ^^ that.
0
 
supportorangesAuthor Commented:
Thank you but the URL represents just a file to be downloaded like http://www.myweb.com/subweb/23489243.exe.

There's really not an HTML page, I put the link the the .exe on a popup as insisted by my client.  Pls help.

0
 
OliWarnerCommented:
I'm suggesting you move your files so they cannot be accessed directly. Only if the person requests files through download.asp
0
 
neu-rahCommented:
i had the same acess problem when exporting data via web, to guarantee that only the user whos requesting the file is the only that can get it i append some random numbers to the file name when i export it to the public areas and then give a link to the user so that he/she can download the file, as the directory is NOT BROWSABLE by other users, findin the file would require the GUESS of the correct number.. works pretty good
0
 
terminator_IIICommented:
Trying to use the Header to get the refering page does not always work.  Often HTTP_REFERER is empty for one or another reasons. It is not reliable.

The simplest route globally to shure up your members area is to put everything in an "htaccess" folder and manage a password system to allow them in.  This will force users who want to access this area of the site to login.  Hotlinking to filenames will not work with htaccess.

I agree with Oli Warner to an extent.  Using obfuscation to deliver the file is a good idea (as long as the files are protected)and there is a php example below (very basic).  But its still totally insecure!   All they need to do is follow the link to the file download.  If they can type "download.php?file=foobar.exe"  then thats defeated before it starts without some better kind of safeguard.

A program like Intellitamper will usually show anyone the directpry and file structure of any website, so hiding things in sneaky folders is pointless.

HTACCESS will solve all your short term worries with about 5 lines of text and 2 tiny ftp files. I can send you the files for a basic setup by email or post here if it sounds apealing.  

HTACCESS brings up a Windows/IE password box itself.  No programming is needed. Just 1 file in the directory to protect and 1 password file.  PHP is not required but 'helpful' for managing passwords etc.

The only problem is that your site may need very slight modification to use the new htaccess members login.


Can you tell me what you have used to create your site? be it ASP, PHP both or something else?



//link code
www.mysite.com/download.php?file=hello.exe

<?
//download.php basic example
//scot forshaw
if((strlen($_GET[file]))!=0)
{

$filename=sprintf("files/%s",$file);
include("filename"); /* files/hello.exe */
exit();

}

?>
0
 
supportorangesAuthor Commented:

<?php
 $file =  "/SOMEFOLDER/1/0/5/55/???/user/SOMENUM/XXX/MYCOMNPANY/MYDIR/droppedoff/120000003.exe";
 $fp = fopen($file, "r");
 header("Content-Type:binary/octet-stream");
 header("Content-Disposition: attachment; filename=somefile.exe");
 header("Content-Transfer-Encoding:binary");
 fpassthru($fp);
 //fclose($fp);
?>

 I FOUND THE ABOVE CODE WHICH DOESn"T GIVE A HINT of where somefile.exe comes.  The boss is happy enough with that.  I think OliWarner came the closest.  Maybe it's not a secure site or the ultimate solution but it follows along the lines of obfuscation.  I had no idea prior to this that server side code could generate a popup.  Let me ponder how to split the points for an hour or two while I put that snippet into test.  Thanks to everyone for their quick help.  

I think perhaps the .htaccess file route may be a problem since the ISP controls the server very tightly.  I'm not counting on their technical assistance for anything anymore and we may be switching ISPs.

It feels like OliWarner is giving the ASP version of this (our site is in PHP).

Thanks people.
0
 
supportorangesAuthor Commented:
Thank you OliWarner.  Your answer led me to the PHP answer.  It also supported me as the boss kept on about how easy it is in Perl (ugh).  

Doesn't matter the language - you were right on the money.  How amazing a popup can be generated from the server!

Everyone else thank you for your help.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.