Deny access to files files, except if the user is coming from a specific page

Hi,

I have alot of files in a directory.
All files is linked from a certain page (one page).

How do I make it so all files can only be accessed from one page alone and not from any other pages (or direct in browser).

I'm currently using the following htaccess, but it dosent work:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://savefile.com/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://savefile.com$      [NC]
RewriteCond %{HTTP_REFERER} !^http://www.savefile.com/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://www.savefile.com$      [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp|exe|txt|jpg|gif|bmp|png|swf|jpeg|arj|rar|zip|ace|exe|txt|nfo|txt|doc|mp3|wav|xls|pdf|ttf|avi|bin|bpp|cfg|class|cue|dcu|eps|gz|gzip|hlp|ini|iso|jar|jsp|log|lisp|mid|midi|mpg|ogg|pas|pic|ptt|ps|psd|tar|tif|gm6|gmd|gml)$ - [F,NC]

test url:
http://www.fs01.savefile.com/files/2005/04/18/[www.savefile.com]050418140609_ZantiBar.wmv
kgp43Asked:
Who is Participating?
 
caterham_wwwCommented:
The IE has serveral problems with PHP downloads, try

   if(isset($_SERVER['HTTP_USER_AGENT']) && preg_match("/MSIE/", $_SERVER['HTTP_USER_AGENT'])) {
       // IE Bug in download name workaround
       ini_set( 'zlib.output_compression','Off' );
   }


$filename = "/home/fs01/files/2005/05/22/[www.savefile.com]050522213336_For_you.zip";
$save = basename($filename);

header("Content-Type: application/octet-stream");
header("Pragma: public");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Content-Disposition: attachment; filename=\"$save\"");
readfile($filename);
0
 
caterham_wwwCommented:
>(or direct in browser).

This is not 100% possible. If you don't permit a blank/empty referer, you'll also block all users, who are unable to submit a referer.
The referer is empfy if
- someone typs tne URL into the location bar
The referer might be empty, too
- if you are behind caching machines (i.e. often at universities)
- if you are using restrictively configured internet security software, which removes the referer (and the user often doesn't know whar a referer is or how to turn off the security software feature.

So, if you remove 'allow empty referer' below, you'll also block allowed users
#######
RewriteEngine On
# you can bring it down to one line:
RewriteCond %{HTTP_REFERER} !^http://(www\.)?savefile\.com [NC]
# allow empty referer
RewriteCond %{HTTP_REFERER} !^$ [NC]
# are there any extensions which shlould be allowed?
RewriteCond %{REQUEST_URI} !^/.+\.(html?|txt)$
RewriteRule ^.+\.[a-zA-Z]{3,4}$ - [F]
#######

-> where did you place the code?
-> is mod_rewrite available? try
####
RewriteEngine On
RewriteRule ^.* http://www.google.com [R,L]
####
you should see google.com for every request
0
 
kgp43Author Commented:
so it will be more secure to place the files outside the public_html folder?
0
Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

 
caterham_wwwCommented:
no, there is no difference between the public_html folder and other folders, because the request from the user is the same: either with or without a referer.

It would be more secure to place the files outside the htdocs, if you use sessions to check if the user comes from a particular site. If the previously set session variable is present, you can open the file from outside the htdocs directory locally with php (fopen), read the content (fread/fgets) and send the buffer content via php to the user...

A more complex way...
0
 
kgp43Author Commented:
im already using a session to check if they came from the correct page.
can you post an example of fopen and fread/fgets to a file placed in /home/username/download?

Will this work:
$filename = "/home/username/download/file.zip";
$handle = fopen($filename, "r");
$contents = fread($handle, filesize($filename));
fclose($handle);
header ("Content-Disposition: attachment; filename=\"$contents\"");

have no idea if the above it correct and I cant test if before tomorrow.
0
 
caterham_wwwCommented:
$filename = "/home/username/download/file.zip";
header("Content-Type: application/octet-stream");

$save = basename($filename);

$handle = fopen($filename, "rb");
$contents = fread($handle, filesize($filename));

fclose($handle);

header("Content-Disposition: attachment; filename=\"$save\"");
echo $contents;


########### OR ############

$filename = "/home/username/download/file.zip";
header("Content-Type: application/octet-stream");
$save = basename($filename);
header("Content-Disposition: attachment; filename=\"$save\"");
readfile($filename);
0
 
_GeG_Commented:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://savefile.com/.*$      [NC,OR]
RewriteCond %{HTTP_REFERER} !^http://savefile.com$      [NC,OR]
RewriteCond %{HTTP_REFERER} !^http://www.savefile.com/.*$      [NC,OR]
RewriteCond %{HTTP_REFERER} !^http://www.savefile.com$      [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp|exe|txt|jpg|gif|bmp|png|swf|jpeg|arj|rar|zip|ace|exe|txt|nfo|txt|doc|mp3|wav|xls|pdf|ttf|avi|bin|bpp|cfg|class|cue|dcu|eps|gz|gzip|hlp|ini|iso|jar|jsp|log|lisp|mid|midi|mpg|ogg|pas|pic|ptt|ps|psd|tar|tif|gm6|gmd|gml)$ - [F,NC]

The request can never match all rewrite conditions at once, you have to connect them using or.
0
 
caterham_wwwCommented:
this is a logical and here, because the RegEx is prefixed by the exclamation mark (!), which negates the meaning.

... referer is NOT RegEx ^http://savefile.com/.*$  AND is not ^http://savefile.com$ AND is not ^http://www.savefile.com/.*$ etc.

If you remove the exclamation mark (=positive list), you'll need the OR-Flag
0
 
_GeG_Commented:
true, i missed that
if they only want to check if the users comes from their own domain, this should be enough
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www\.)?savefile\.com/ [NC]
\.(jpg|jpeg|gif|png|bmp|exe|txt|jpg|gif|bmp|png|swf|jpeg|arj|rar|zip|ace|exe|txt|nfo|txt|doc|mp3|wav|xls|pdf|ttf|avi|bin|bpp|cfg|class|cue|dcu|eps|gz|gzip|hlp|ini|iso|jar|jsp|log|lisp|mid|midi|mpg|ogg|pas|pic|ptt|ps|psd|tar|tif|gm6|gmd|gml)$ - [F,NC]
0
 
_GeG_Commented:
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www\.)?savefile\.com/ [NC]
RewriteRule \.(jpg|jpeg|gif|png|bmp|exe|txt|jpg|gif|bmp|png|swf|jpeg|arj|rar|zip|ace|exe|txt|nfo|txt|doc|mp3|wav|xls|pdf|ttf|avi|bin|bpp|cfg|class|cue|dcu|eps|gz|gzip|hlp|ini|iso|jar|jsp|log|lisp|mid|midi|mpg|ogg|pas|pic|ptt|ps|psd|tar|tif|gm6|gmd|gml)$ - [F,NC]
;)
0
 
kgp43Author Commented:
caterham_www :
Need to change my file/download system before this can be tested.
Will take a few days.


GeG:
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, webmaster@fs01.savefile.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.


Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.


--------------------------------------------------------------------------------

Apache/1.3.33 Server at www.fs01.savefile.com Port 80
0
 
kgp43Author Commented:
GeG:
I corrected the Internal Server Error, but it still allow me to download the file in the first post.
The user must come from http://www.savfile.com/filehost/

Going to change the filesystem so it fit the other suggestion
0
 
_GeG_Commented:
try if this works:
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://www\.savefile\.com/filehost/.* [NC]
RewriteRule .* - [F]
0
 
_GeG_Commented:
no, this will not let anybody in, let's say all downloads are in www.savefile.com/downloads/:

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://www\.savefile\.com/filehost/.* [NC]
RewriteRule ^/downloads/.* - [F]

will be better
0
 
kgp43Author Commented:
still dosent work :P
it let me download the file by clicking the link in the first post, witch shouldnt be allowed.
0
 
_GeG_Commented:
you have changed 'downloads' to the appropriate value for your system?
0
 
kgp43Author Commented:
I use  modrewrite aswell
Is it possible to make it work with savefile.com in general (without any folder)?
0
 
_GeG_Commented:
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www\.)?savefile\.com/.* [NC]
RewriteRule ^/files/.* - [F]

0
 
kgp43Author Commented:
caterham_www:

What do you do when you need to get a file placed on another server then?
Can you connect by FTP and get it that way? If so, how?

I know how to connect to the FTP server, but im not sure how to get the file.
Think I need to use fget, but im not sure how it will work.

//FTP server info
$server_ip = "12.34.567.890";
$server_ftp_username = "user";
$server_ftp_password = "pass";

//Open the FTP connection
$conn_id = ftp_connect($server_ip);
$login_result = ftp_login($conn_id, $server_ftp_username, $server_ftp_password);

//Get the file from fileserver using FTP
fget....?

$filename = "/home/username/download/file.zip";
header("Content-Type: application/octet-stream");
$save = basename($filename);
header("Content-Disposition: attachment; filename=\"$save\"");
readfile($filename);
0
 
kgp43Author Commented:
will FTP load/read the file to the "main one" so the bandwidth will increase for each time a file is loaded from the fileserver? If so, is there another way?
0
 
kgp43Author Commented:
anyone?
0
 
caterham_wwwCommented:
you use ftp_get to download the file first from your FTP-Server into your main server space. Then open the downloaded FTP-file like above from your main server. => caching, check prior downloading the file, if it's already on your main server
ftp_get($conn_id, $local_file_path, $remote_file_path, FTP_BINARY);


or you can write "on the fly" to an open file with ftp_fget()

ftp_fget ( int ftp_stream, int fp, string remote_file, int mode )
0
 
kgp43Author Commented:
Sorry for the delay, but I had some issues with my server (again).

I tested your code, but I only get the download box with firefox - get tons of odd chars with IE.

Code:
//Download the file
$filename = "/home/fs01/files/2005/05/22/[www.savefile.com]050522213336_For_you.zip";
header("Content-Type: application/octet-stream");
$save = basename($filename);
header("Content-Disposition: attachment; filename=\"$save\"");
readfile($filename);
0
 
kgp43Author Commented:
like this:

b÷ƒ‚C€ô-¨8 (gA9h´<»6Ö¥ÏÒ¶(:|†~æ*ûªÏÁ•ïêÜèl†ù~«÷ûL–ŒÝ€Ò´y‰DUÞ‰Ô¯ÂcÂ%¼–g¨õÒ«[µ`D„¾W½}3Ú{ ÎÝë?F ´8´âCûr?zt`{kt0ÔòÖ6Þo1Ñ/8Ö\ ú_&à-°0=FöÎTÂ~rx4ñSÕ£Ï%Y6¬‚ñ‘Õ·l*)µ—rcB™³j¯¨•5U~Y?\;V:SrlZ”4=3;:6.a¤ŽÖÁú™ÉýH3±×«È¿Å 2Ê‹»óa}Uñš®m_߀F½ŒJ™°‘«áçhzWöBl—ðØ”V1\XÓEŽë"F p¾Œ$gÜØK}bBVÌ;™ï|œÿ±M½M•¨êúÈ÷ ß›·˜[ -må¶7U7+œñX|›´­{J¥R"‘yBB1á*üª“ÀÉOãçÑéá$rjm9züƒð^ñxeÏ•kÊË ù¥T”×ÑjÛ¤ÂÄ„FŸ{­a!ÒG±ò.å*“`œ¤RVP@µç]²·'º¢ŒÙÄd¦¯3÷ˆ°Ð   4íãë{æì¹ÚÚZHüs8œŽŽŽ¡¡¡…E§Ó3æØ××µ ‚$T¢˜Û²G d54…¢ÉŸo'[“ÔdîQ]>ª›qH¬ØNÏ¿ÙHŒ«¯aÔ”frn*\J‰ex¼<Ó ÐKÏ}
0
 
kgp43Author Commented:
caterham_www: make a "answer" so I can accept you.
0
 
kgp43Author Commented:
that worked :)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.