New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Secure File Download
Hello, lets assume I run asd.com and I have a password-protected site.
In this site I have a list of file a user can download.
I want the files to be download able only when the user clicks the link via asd.com and not directly when he for example try asd.com/file.zip.
I'm running lighttpd.
how can this be achieved?
Comments
google://disable hotlinking lighttpd
Good, I didn't remember that was called hotlinking.
btw the referer trick is bypass-able. I need something else.
store the files outside of the directory and let php decide who gets it
On the page that you require them to view first, generate a unique token, and store it in a database, along with their IP address. Include the token in the links you generate, something like http://asd.com/file.zip?token=706b16b2fb732ab6079a10fea61d078b. Store the files in directory above your directory root, so that they can't be downloaded directly. Use a rewrite to rewrite the URL to something like download.php?file=file.zip&token=706b16b2fb732ab6079a10fea61d078b. download.php should look up the token and IP address in the database, and if they're found, allow the download, and send the file, and delete the record from the database so that it can't be used for a replay attack.