User access to HTTP protected area w/o asking them user_id/pwd

I have HTTP Authentication protected directory on my website that configured on webserver.  I want to allow users to download files from this directory WITHOUT asking them user_id/pwd, but providing USER and PW from my php script.

Please advice.
voznesenAsked:
Who is Participating?
 
Diablo84Commented:
voznesen,

The way we usually approach this it to have the HTTP Authentication protected directory with the protected files in and then have a separate php file outside of this directory. This php file will handle the authentication via a custom approach and then give the user access to the files via the include function or the readfile function.

In normal circumstances this would be handled via a combination of user authentication and session variables. For example, a user logs in to your site, their log in is validated, a session variable is set.

$_SESSION['auth'] = true;

Then the php file that handles the download would have a condition restricting their access...

if (isset($_SESSION['auth']) && $_SESSION['auth'] == true) {
 //authorized to download file
 //headers for download
}
else {
 //user not allowed to access file
}

Anyone who tries to access the files directly (and not via the php file) will be stopped by the HTTP Authentication. Anyone who accesses the php script without having the session variable set will be stopped by the conditional.

In your case we will have to take a slightly different approach since you want to handle it via email. First of all i will cover the basic "how to" then i will touch on the subject of better validation with this method. For the sake of example we will refer to the page that will handle the download as "download.php".

In your email that you would send the to any given user you would provide a link that looks like this:

http://yourdomain.com/path/to/download.php?auth=AUTHENTICATIONHERE

... where AUTHENTICATIONHERE would be the value that you will use to check that they are allowed to download the file, as a basic example we will use an email address. Now, download.php will look something like this:

<?php
$protecteddir = $_SERVER['DOCUMENT_ROOT'].'/path/to/dir/'; //the protected directory path
$file = 'filename.ext'; //the name of the file to download

if (array_key_exists('auth',$_GET)) {

 //here you have to do some validation to check the auth value in the query string is valid, eg:
 //for example querying the value against a database table to check that a row exists for this value...
 $query = "SELECT * FROM your_table WHERE some_field = '".$_GET['auth']."' LIMIT 1";
 $query = mysql_query($query) or die("Query Error");

 if (mysql_num_rows($query) == 1) {

  //a row was returned from the query, download ok...
  //this is the part that actually handles the download of the file

  $size = filesize($protecteddir.$file);
  header("Content-type: application/octet-stream");
  header("Content-Length: ".$size);
  header("Content-Disposition: attachment; filename=$file");
  readfile($protecteddir.$file);

 }
 else {
  //no record, invalid access
  die("Access Denied");
 }

}
?>

Notes:

1. As you may have noticed, the problem with this is, anyone who knows a valid mail address can access the files. What usually happens to ensure a secure system is, when the mail is first sent to the user, a string is generated which will be the result of a combination of the substr, time and md5 functions. This string is then stored in a database ready for validation. When the user follows the link from the mail the string can then be compared against those stored in your database and validated. Optionally, you can also delete the database record for any give generated string after the file has been downloaded (so it's only valid once). A generated random string is almost impossible to guess.

2. In the above, where the download is handled, the content type is specified as application/octet-stream. This should only be used when we don't know what type of file to expect. If you are going to be downloading a specific type of file everytime you should find out it's mime type and use that.

Your alternative to this approach is to fall back on to letting your registered user system act the validation (which will be much the same as the option i initially mentioned with sessions). This means that you wont have to worry about the validation technique mentioned above however your users will have to be logged in when they access the page. If you have a "remember me" option set up (using cookies to sustain their login) then this probably wont be a problem, otherwise they will have to log into their account after following the link in the email before they can access the download.

So, if for example, when they log in to your site you set a session variable called $_SESSION['username'] your check can then simply be if (isset($_SESSION['username'])) { ... let them download the file.

To summarise though, the important part here is this section of code:

$protecteddir = $_SERVER['DOCUMENT_ROOT'].'/path/to/dir/'; //the protected directory path
$file = 'filename.ext'; //the name of the file to download

$size = filesize($protecteddir.$file);
header("Content-type: application/octet-stream");
header("Content-Length: ".$size);
header("Content-Disposition: attachment; filename=$file");
readfile($protecteddir.$file);

Which can be used to access a file from the directory via a php file.

If you have any questions please feel free to ask.

Diablo84
0
 
str_kaniCommented:
You can do this in another way, by allowing the downloaded files to all, (Allow From All )
0
 
str_kaniCommented:
but here you will not be providing any username & password, but unlocking the download files.
0
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
voznesenAuthor Commented:
I do NOT allow to All users to download file. But only user those  come from a specific link [e.g. http://www.woo.com?email=registered_email].
Again. The file is in an HTTP Authentication protected directory. The users would not need to authenticate, instead I'm going to validate users' email in my php script.
0
 
designbaiCommented:
check the referer page $_SERVER["HTTP_REFERER"], if the referer page is in your list of allowed links, then allow them to download.
0
 
str_kaniCommented:

This is not going to be possible (I think), because, http authentication will be performed to enter into the file, so you will need to provide the username and pass to enter into the file even to validate the script.
0
 
voznesenAuthor Commented:
designbai,

You wrote '..then allow them to download..'

How?

Actually I found the solution. I'd like to split points between the experts who tried to answer.
0
 
voznesenAuthor Commented:
I wanted to give 300 points to  expert str_kani  and 200 to  expert designbai . But I did not  know how to do that.
So if moderator could help me to do that, I'd appreciate the help.

Thank you all!
0
 
voznesenAuthor Commented:
Dear Diablo84,

Thank you very much!

The contribution of the str_kani, designbai was not productive, I awarded them for response itself.
Technically, no other expert responded in time manner at all.

So, at the moment:

1. I need input on this problem as I described it initially.

2. I can change the problem to
 'I am going to send users email with link to download file from my system. How to allow registered users [with stored email address in database] to download that file and deny the rest?'



0
 
voznesenAuthor Commented:
Thank you very much!

It absolutely solves my problem!

Eu.
0
 
Diablo84Commented:
no problem :)

Diablo84
0
 
str_kaniCommented:
First of all Thanks Diablo84,

Initially i thought of similar answer (I am doing these kind of stuff as you specified). But voznesen specified that he want to let the user download the file from a password protected directory with out asking them the username and password, these last few word think me in a different way and I mistaken his need. That's why I posted that answer,

As we see You produced a typical expert's answer and that solved another one's problem(no wonder).

THANKS FOR TAKING CARE  :)

0
 
voznesenAuthor Commented:
Diablo84,

I made typo in the question title. Could you please change 'HTPP' to 'HTTP'?

Thank you.
0
 
designbaiCommented:
dear Diablo84,

The following line made me to think of checking the HTTP_REFERER in my answer.

>> But only user those  come from a specific link [e.g. http://www.woo.com?email=registered_email].

thanks for an expert's answer.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.