PHP - Protecting digital Downloads

Question

I\'m trying figure out how I can protect digital downloads in PHP. Just need some general directions so I can start my research. I don\'t seem to be able to find anything us

Answer 1

Just some examples: You can place your files outside of the webserver's document root or in a directory that is protected by a .htaccess file with a "deny from all" rule; then you deliver the files by a custom PHP function that sets the correct headers (mime-type, filesize etc.) and returns the file.

You could create links with unique id's based on MD5 or SHA1 hashes - a mod_rewrite rule points the id to your PHP file, you lookup the id in the database and do your time checks, like

example.com/downloads/73637/a8d157edafc60776d80b6141c877bc6b

is rewritten to

example.com/dl.php?id=a8d157edafc60776d80b6141c877bc6b&file=73637

Here's an example of doing something you want with nginx and PHP: http://wiki.nginx.org/HttpSecureLinkModule

Answer 2

"Secure Download Links", a PHP Script can be used to hide download url or rename download file, it has option for storing below web root and for files stored above webroot that is with absolute http urls also.

Answer 3

The best way is to delegate the download managment after your check to the mod for apache

x_sendfile

https://tn123.org/mod_xsendfile/

Usage:

<?php
...
if ($user->isLoggedIn())
{
    header("X-Sendfile: $path_to_somefile");
    header("Content-Type: application/octet-stream");
    header("Content-Disposition: attachment; filename=\"$somefile\"");
    exit;
}
?>
<h1>Permission denied</h1>
<p>Login first!</p>

Basically when you send the header X-Sendfile the mod intercepts the file and manages the download for you (the file can be located whenever you want outside the virtualhost).

Otherwise you can just implement a simple file download.php that gets the id of the file and prints the contents with readfile after the login check