问题
so suppose my server is located in http://www.example.com
I then put a file file.exe in the files directory in the root server hence normally you can download that file by typing this into the browser
http://www.example.com/files/file.exe
And suppose that I have a php script that first authenticates the user and then redirect them to that file.exe download page
eg. using this method:
header('Location: http://www.example.com/files/file.exe');
exit(0);
what is the best way to
1.) prevent unauthenticated users from being able to access that file by typing in that URL above And
2.) have the php script still able to serve that file despite 1.) hence authenticated users should be able to download that file on that location
supposing that I use the standard LAMP stack (also I use Zend Framework)
回答1:
0: Match your file with keys in database. EG. file.exe = 2fae
1: Let user go to
http://www.example.com/download.php?key=2fae
2/3: Check if user has the right to download that key/file.
3/2: Lookup in database, match that key with actual file path
4: On download.php, write.
header('Content-disposition: attachment; filename='.$actual_file_path_and_name);
header('Content-type: application/exe'); // optional
readfile($filename);
It lets user download file.exe without letting him see the actual URL of file.exe. It happens on download.php.
Ref: http://webdesign.about.com/od/php/ht/force_download.htm
回答2:
Assuming the file is not ridiculously large, this should work:
Put the file somewhere outside of the web server document root so no web browsers can get to it directly.
Have your PHP script serve the file to users if they are authenticated.
Be sure to send the correct MIME type for the file using
header().
If the file is very large, you may hit some PHP memory or output limits.
回答3:
If you're using Zend Framework you should really consider to use the built-in solution that the framework give you and not to use simple php script. The best solution, using ZF, is to use Zend_Session in conjunction with Zend_Acl. So you'll set a value in the session user which describe the visitor role when they login into your website. Then, you can restrict access to the resource using Zend_Acl based on the role that is set in the session.
回答4:
I think that using a php proxy to access the files would be sufficient in this case, something along the lines of:
Download.php
<?php
/** Load your user assumed $user **/
$file = '/files/file.exe';
if (true === $user->exists()) { //do any other acl checks here
//from http://php.net/manual/en/function.readfile.php
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename="'.$file.'"');
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
header('Content-Length: ' . filesize($file));
ob_clean();
flush();
readfile($file);
exit;
} else {
throw new Exception('Download restricted to authorized users only');
}
.htaccess To deny all direct file downloads place in /files/ directory with the following contents
deny from all
You would then link to the file by using /download.php? and it would only download that file if the user is logged in
Hope that helps
来源:https://stackoverflow.com/questions/8264164/restricting-file-download-in-php