.htaccess RewriteCond and Rules to avoid file downloads

Forum Moderators: phranque

Message Too Old, No Replies

.htaccess RewriteCond and Rules to avoid file downloads

Using htaccess to avoid unauthorized downloads

Daleeburg

6:57 pm on Sep 26, 2007 (gmt 0)

As has been the subject of most of my post the past week. I am trying to prevent unauthorized people from downloading a file on my website. I am attempting to do this though htaccess, php, and mysql for flexiblity once it is set up.

I would like to know if anybody thinks this will work.

Create a rewrite rule to prevent people from getting to the file. Then create a rewrite condition so that they can only get to the file when they go through one page that requires a login.

So the htaccess looks like this

RewriteCond %{HTTP_REFERER}!^http://domain.com/file_man/functions/downloader.php [NC]
RewriteRule ^files/([^/]+)/([^\.]+).([^/]+)$ /file_man/functions/downloader.php?user=$1&file=$2&type=$3 [NC,L]

and the downloader.php would contain a link to the file.

any thoughs?

jdMorgan

7:27 pm on Sep 26, 2007 (gmt 0)

HTTP_REFERER is an optional header, not always sent even by legitimate visitors, and blocked by some corporate and ISP proxies, as well as by some "internet security" software. So you cannot rely on HTTP_REFERER unless you have a 24-hour help desk set up.

You can have the script require the login.
You can have the script set a cookie that is required to access the content files.
You can actually do this in many ways, those are just two.

Jim

Daleeburg

7:38 pm on Sep 26, 2007 (gmt 0)

I currently have a login page, but the files are not secure, if you know the address of the files, then you can direct link to them. Granted I have directory browsing off and the such, but with the right tools and a few good guesses, you could be in the system. So I am trying to make it more secure then this.

Demaestro

7:53 pm on Sep 26, 2007 (gmt 0)

I will also mention that the referrer can be spoofed as well.

Firefox even has a http_referrer spoof Add-on

It is a great tool if you want to test your site using different referrers without actually coming from different pages.

[edited by: Demaestro at 7:57 pm (utc) on Sep. 26, 2007]

jdMorgan

3:15 am on Sep 27, 2007 (gmt 0)

You can use THE_REQUEST to detect and block direct HTTP client requests for URLs while still allowing access via an internally-rewritten URL. For example, to block your dynamic script URL so that it must be accessed using your static URL format, you could use:


RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /file_man/functions/downloader\.php
RewriteRule ^file_man/functions/downloader\.php$ - [F]

The result is that all direct client requests for "downloader.php" will be denied, but requests for files/abc/def.jpg will be rewritten and invoke the downloader.php script normally.

You could extend this concept to the downloadable content files as well, but if your download script is doing file reads to serve the download content, then you can deny HTTP access to the entire download content directory; Since the script will be using local file system reads and not HTTP to get and send the content, no HTTP access need be allowed at all.

Jim

g1smd

10:19 pm on Sep 27, 2007 (gmt 0)

I like those systems that generate an on-page link to the file, where the URL in the link is a different one for every user, and only works the one time for each user.