Welcome to WebmasterWorld Guest from 3.92.92.168

Forum Moderators: Ocean10000 & phranque

Message Too Old, No Replies

blocking access to files with htaccess

Allow file access only through selected pages.

     
5:14 pm on Jul 26, 2005 (gmt 0)

New User

10+ Year Member

joined:July 26, 2005
posts:3
votes: 0


I am pretty new to this so any help would be appreciated. I have a website with hundreds of audio files (mp3 and wav) available for free download but I only want the users to be able to access them via my php pages so I can show advertising and not just jump in to my data directory and have a free for all. I already have htaccess in my data directory with

IndexIgnore */*

To stop people seeing what’s in the directory but it is still pretty easy for them to work out the path etc so do I?

RewriteEngine On
RewriteCond %{HTTP_REFERER}!^www.my-site.com/thispage.php* [NC]
RewriteCond %{HTTP_REFERER}!^www.my-site.com/anotherpage.php* [NC]
RewriteCond %{HTTP_REFERER}!^www.my-site.com/thatpage.php* [NC]
RewriteRule ^(.*)$ [my-site.com...] [R,L]

Or do I?

<LIMIT GET>
order deny, allow
deny from all
allow from .my-site.com/thispage.php*
allow from .my-site.com/anotherpage.php*
allow from .my-site.com/thatpage.php*
</LIMIT>

or is htaccess not the way to go and should I move my data outside my web space and do the session ID and cookie validating thingy?

Thanking you in advance

westend

5:27 pm on July 26, 2005 (gmt 0)

Preferred Member

10+ Year Member

joined:Apr 12, 2005
posts:371
votes: 0


The "allow from" is going to specify the client's host, and not a referring URL, so the URL Rewrite will work better for what you're needing. What you have is close, but will need a few changes:

RewriteEngine On
RewriteCond %{HTTP_REFERER}!^http://www.my-site.com/thispage.php.*$ [NC]
RewriteCond %{HTTP_REFERER}!^http://www.my-site.com/anotherpage.php.*$ [NC]
RewriteCond %{HTTP_REFERER}!^http://www.my-site.com/thatpage.php.*$ [NC]
RewriteRule ^.*mp3$ [my-site.com...] [NC,R,L]
9:53 pm on July 26, 2005 (gmt 0)

Senior Member

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 31, 2002
posts:25430
votes: 0


westend,

An image or media link won't redirect, so you might as well use a simple 403-Forbidden response. In addition, many media players won't provide any referer, so you'll have to allow blank referers, as provided for in the additional (first) RewriteCond. I escaped your referrer path, and removed the superfluous "*" at the end -- which would have allowed zero or more "p" characters after ".ph", but is not needed anyway.


RewriteEngine On
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !^www.my-site\.com/thispage\.php [NC]
RewriteCond %{HTTP_REFERER} !^www.my-site\.com/anotherpage\.php [NC]
RewriteCond %{HTTP_REFERER} !^www.my-site\.com/thatpage\.php [NC]
RewriteRule .* - [F]

As stated above, most media players don't provide a referrer. In addition, many ISP's (e.g AOL) and corporations' caching proxies block the referrer, and some users who run Norton Internet Security also block their referrers -- some without even knowing it. As a result, you'll need to allow blank referrers or hire a full-time help desk.

A cookies-based approach, where you set a cookie on /thispage\.php, /anotherpage\.php, or /thatpage\.php, and then check it in mod_rewrite (or in a "media-serving" script) would be a much better solution for access control.

Jim

2:49 am on July 27, 2005 (gmt 0)

New User

10+ Year Member

joined:July 26, 2005
posts:3
votes: 0


Thanks for your help ChadSEO and Jim but the solutions didn't work...I could still type in the absolute URL and access the files that way.
So I have gone with

IndexIgnore */*

<Files "*.wav">
order deny,allow
deny from all
</Files>

to stop people grabbing the waves(one user took 250Mb) untill I can write the cookie bassed access control.
Do you know of any good sites for tutorials on the subject?

Thanks

westend

3:10 am on July 27, 2005 (gmt 0)

Senior Member

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 31, 2002
posts:25430
votes: 0


1) Be sure to flush your browser cache before testing any changes to access control code. Otherwise, you will load a local cached copy, the request won't be sent to your server, and server-side code can have no effect.

2) I don't know of any tutorials. But the two steps are: Set a cookie on your "authorized" pages. Then check it when access to a media file is requested, and deny access if the cookie is missing, invalid, or outdated. There are many ways to do it, depending on your programming methods of choice.

If you find a good tutorial on an authoritative, non-commercial site, you can post it here.

Jim

1:47 pm on July 27, 2005 (gmt 0)

Junior Member

10+ Year Member

joined:Sept 16, 2000
posts:122
votes: 0


or is htaccess not the way to go and should I move my data outside my web space and do the session ID and cookie validating thingy?

Hi westend,

Using PHP and session IDs is the best solution and you can move the files outside your web space. Here's an example solution that uses the visitors IP address for the session ID. You could use anything you like for the session.

Put the following code at the top of your pages that contain the download links.

<?
session_start();
$_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
?>

Save the following code as download.php in each of the directories that contain download links.

<?
$path = "/home/customer/downloads/";
$remote = $_SERVER['REMOTE_ADDR'];
$file = $_REQUEST['download'];
session_start();
if ($_SESSION['ip'] == $remote) {
header("Content-Length: ".filesize($path . $file));
header("Content-Type: application/force-download");
header("Content-Disposition: attachment; filename = $file");
readfile ($path . $file);
} else {
header('Location: [domain.tld');...]
exit;
}
?>

The download links would be in the following format.
<a href="download.php?download=file.mp3">

When someone visits the download pages they are assigned a session ID.

When a user tries to download a file it checks for a valid session and then allows the user to download files. If there's no valid session the user would be redirected to your home page.

4:34 pm on July 27, 2005 (gmt 0)

New User

10+ Year Member

joined:July 26, 2005
posts:3
votes: 0


Thanks Gorfu, the code will come in handy...I have found a couple of tutorials on user authenitcation and some free code floating around the web, now it's a toss up between pulling my hair out and doing it my self or the commercial applications...I think I will do it my self (I have got too much hair anyway :))

westend