Jump to content

Checking referrer when downloading from remote source

dannyb785

By dannyb785
in PHP Coding Help

 Share

Recommended Posts

dannyb785 Member

dannyb785

Posted
Posted

Hi, I have decent knowledge of htaccess and know enough about php/mysql so a little direction/advice is mostly what I need. I host a website(site1.com) that has links to files that are hosted on a different website(site2.com) on a different server. When a file link is clicked from site1.com, first it will go to a local php file(within site1.com) that checks that the user is logged in and make sure the file exists. Then it redirects(using a simple header function) to the file located at site2.com to begin download.

 

But since my files at site2.com stored in a simple folder(if you knew the folder name, you could download all the files without having to be logged in), I want a way for site2.com to check that the file request is coming from site1.com(maybe using php referrer?) before it allows the download to proceed. Any ideas?

Link to comment
Share on other sites
dannyb785 Member

dannyb785

Posted
  • Author
Posted

The referrer is insecure. Don't rely on it.

 

Do you mind having the file go through your server first? Means double the bandwidth (both site1 and site2 are sending the whole file) but it's the easiest answer.

 

I understand that referrers can be spoofed, but the chances are pretty low of anyone knowing that's how I check for a valid download attempt. Can anyone just answer my question of how to do it? Or suggest a suitable alternative?

Link to comment
Share on other sites
kicken Prolific Member

kicken

Posted
Posted

Despite them being spoofable, some browsers, firewalls, or proxy's will filter out a referrer for privacy reason so it will never be sent.  This means your download script will not work at all for any of those people.

 

There's not really any good way to do what you want to do when using a simple header redirect.  If only logged in users should see them, then you should be running entire download process through your script rather than redirect to the raw file.

 

Link to comment
Share on other sites
kicken Prolific Member

kicken

Posted
Posted

The way you prevent direct downloads is by not allowing them.  That's it.  You force people to access the files via your script and provide no alternative means what-so-ever for them to access the file.  Generally you place the files somewhere that they will not even be served by apache at all and only your script can access them.

 

The only possible alternative that would allow you to use a direct URL while keeping people from re-using it would be to setup a system where the direct url is constantly changing.  Then you need some way to keep both your servers up to date on what the current URL is.  The url's should be generated randomly, not based on some varying value like a timestamp otherwise someone could just guess.

 

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.