Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

User access to HTTP protected area w/o asking them user_id/pwd

Posted on 2005-05-03
17
Medium Priority
?
366 Views
Last Modified: 2006-11-18
I have HTTP Authentication protected directory on my website that configured on webserver.  I want to allow users to download files from this directory WITHOUT asking them user_id/pwd, but providing USER and PW from my php script.

Please advice.
0
Comment
Question by:voznesen
  • 6
  • 4
  • 2
  • +1
14 Comments
 
LVL 12

Expert Comment

by:str_kani
ID: 13923979
You can do this in another way, by allowing the downloaded files to all, (Allow From All )
0
 
LVL 12

Expert Comment

by:str_kani
ID: 13923982
but here you will not be providing any username & password, but unlocking the download files.
0
 

Author Comment

by:voznesen
ID: 13924133
I do NOT allow to All users to download file. But only user those  come from a specific link [e.g. http://www.woo.com?email=registered_email].
Again. The file is in an HTTP Authentication protected directory. The users would not need to authenticate, instead I'm going to validate users' email in my php script.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 3

Expert Comment

by:designbai
ID: 13924189
check the referer page $_SERVER["HTTP_REFERER"], if the referer page is in your list of allowed links, then allow them to download.
0
 
LVL 12

Expert Comment

by:str_kani
ID: 13924190

This is not going to be possible (I think), because, http authentication will be performed to enter into the file, so you will need to provide the username and pass to enter into the file even to validate the script.
0
 

Author Comment

by:voznesen
ID: 13924327
designbai,

You wrote '..then allow them to download..'

How?

Actually I found the solution. I'd like to split points between the experts who tried to answer.
0
 

Author Comment

by:voznesen
ID: 13924352
I wanted to give 300 points to  expert str_kani  and 200 to  expert designbai . But I did not  know how to do that.
So if moderator could help me to do that, I'd appreciate the help.

Thank you all!
0
 

Author Comment

by:voznesen
ID: 13927869
Dear Diablo84,

Thank you very much!

The contribution of the str_kani, designbai was not productive, I awarded them for response itself.
Technically, no other expert responded in time manner at all.

So, at the moment:

1. I need input on this problem as I described it initially.

2. I can change the problem to
 'I am going to send users email with link to download file from my system. How to allow registered users [with stored email address in database] to download that file and deny the rest?'



0
 
LVL 27

Accepted Solution

by:
Diablo84 earned 2000 total points
ID: 13928642
voznesen,

The way we usually approach this it to have the HTTP Authentication protected directory with the protected files in and then have a separate php file outside of this directory. This php file will handle the authentication via a custom approach and then give the user access to the files via the include function or the readfile function.

In normal circumstances this would be handled via a combination of user authentication and session variables. For example, a user logs in to your site, their log in is validated, a session variable is set.

$_SESSION['auth'] = true;

Then the php file that handles the download would have a condition restricting their access...

if (isset($_SESSION['auth']) && $_SESSION['auth'] == true) {
 //authorized to download file
 //headers for download
}
else {
 //user not allowed to access file
}

Anyone who tries to access the files directly (and not via the php file) will be stopped by the HTTP Authentication. Anyone who accesses the php script without having the session variable set will be stopped by the conditional.

In your case we will have to take a slightly different approach since you want to handle it via email. First of all i will cover the basic "how to" then i will touch on the subject of better validation with this method. For the sake of example we will refer to the page that will handle the download as "download.php".

In your email that you would send the to any given user you would provide a link that looks like this:

http://yourdomain.com/path/to/download.php?auth=AUTHENTICATIONHERE

... where AUTHENTICATIONHERE would be the value that you will use to check that they are allowed to download the file, as a basic example we will use an email address. Now, download.php will look something like this:

<?php
$protecteddir = $_SERVER['DOCUMENT_ROOT'].'/path/to/dir/'; //the protected directory path
$file = 'filename.ext'; //the name of the file to download

if (array_key_exists('auth',$_GET)) {

 //here you have to do some validation to check the auth value in the query string is valid, eg:
 //for example querying the value against a database table to check that a row exists for this value...
 $query = "SELECT * FROM your_table WHERE some_field = '".$_GET['auth']."' LIMIT 1";
 $query = mysql_query($query) or die("Query Error");

 if (mysql_num_rows($query) == 1) {

  //a row was returned from the query, download ok...
  //this is the part that actually handles the download of the file

  $size = filesize($protecteddir.$file);
  header("Content-type: application/octet-stream");
  header("Content-Length: ".$size);
  header("Content-Disposition: attachment; filename=$file");
  readfile($protecteddir.$file);

 }
 else {
  //no record, invalid access
  die("Access Denied");
 }

}
?>

Notes:

1. As you may have noticed, the problem with this is, anyone who knows a valid mail address can access the files. What usually happens to ensure a secure system is, when the mail is first sent to the user, a string is generated which will be the result of a combination of the substr, time and md5 functions. This string is then stored in a database ready for validation. When the user follows the link from the mail the string can then be compared against those stored in your database and validated. Optionally, you can also delete the database record for any give generated string after the file has been downloaded (so it's only valid once). A generated random string is almost impossible to guess.

2. In the above, where the download is handled, the content type is specified as application/octet-stream. This should only be used when we don't know what type of file to expect. If you are going to be downloading a specific type of file everytime you should find out it's mime type and use that.

Your alternative to this approach is to fall back on to letting your registered user system act the validation (which will be much the same as the option i initially mentioned with sessions). This means that you wont have to worry about the validation technique mentioned above however your users will have to be logged in when they access the page. If you have a "remember me" option set up (using cookies to sustain their login) then this probably wont be a problem, otherwise they will have to log into their account after following the link in the email before they can access the download.

So, if for example, when they log in to your site you set a session variable called $_SESSION['username'] your check can then simply be if (isset($_SESSION['username'])) { ... let them download the file.

To summarise though, the important part here is this section of code:

$protecteddir = $_SERVER['DOCUMENT_ROOT'].'/path/to/dir/'; //the protected directory path
$file = 'filename.ext'; //the name of the file to download

$size = filesize($protecteddir.$file);
header("Content-type: application/octet-stream");
header("Content-Length: ".$size);
header("Content-Disposition: attachment; filename=$file");
readfile($protecteddir.$file);

Which can be used to access a file from the directory via a php file.

If you have any questions please feel free to ask.

Diablo84
0
 

Author Comment

by:voznesen
ID: 13929107
Thank you very much!

It absolutely solves my problem!

Eu.
0
 
LVL 27

Expert Comment

by:Diablo84
ID: 13929231
no problem :)

Diablo84
0
 
LVL 12

Expert Comment

by:str_kani
ID: 13933040
First of all Thanks Diablo84,

Initially i thought of similar answer (I am doing these kind of stuff as you specified). But voznesen specified that he want to let the user download the file from a password protected directory with out asking them the username and password, these last few word think me in a different way and I mistaken his need. That's why I posted that answer,

As we see You produced a typical expert's answer and that solved another one's problem(no wonder).

THANKS FOR TAKING CARE  :)

0
 

Author Comment

by:voznesen
ID: 13937436
Diablo84,

I made typo in the question title. Could you please change 'HTPP' to 'HTTP'?

Thank you.
0
 
LVL 3

Expert Comment

by:designbai
ID: 13949618
dear Diablo84,

The following line made me to think of checking the HTTP_REFERER in my answer.

>> But only user those  come from a specific link [e.g. http://www.woo.com?email=registered_email].

thanks for an expert's answer.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
This article discusses how to implement server side field validation and display customized error messages to the client.
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …
Suggested Courses

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question