On Sat, May 30, 2009 at 7:02 PM, Ashley Sheridan <a...@ashleysheridan.co.uk>wrote:
> On Sat, 2009-05-30 at 17:54 +0200, Nitsan Bin-Nun wrote: > > That's the verification that my layer does. I'm not sure whether that's > > enough or not. > > > > On Sat, May 30, 2009 at 4:43 PM, Michael A. Peters <mpet...@mac.com> > wrote: > > > > > Nitsan Bin-Nun wrote: > > > > > > On Sat, May 30, 2009 at 3:26 PM, Michael A. Peters <mpet...@mac.com > <mailto: > > >> mpet...@mac.com>> wrote: > > >> > > >> Nitsan Bin-Nun wrote: > > >> > > >> Hi > > >> > > >> I have wrote a file uploader in PHP, and I don't want people to > > >> hijack it > > >> (get direct links, download whenever they want, etc). > > >> > > >> Currently I have placed the uploaded files one directory up > from > > >> the www > > >> root, and I'm hosting the files mime type in order to serve > them > > >> on the fly. > > >> > > >> I'm trying to think how should I secure this website, I don't > > >> want people to > > >> get direct links,etc. > > >> > > >> Currently the links are being check with the $_SERVER['refer'] > > >> variables and > > >> it being compared to the one in my config file. > > >> > > >> Any ideas will be very appreciated! Thanks! > > >> > > >> > > >> By the way, does this file serving feature takes a lot of load > > >> from the > > >> server? if so then what are the other options? can I serve > these > > >> files w/o > > >> PHP involved? lets say only by some sort of apache module or > > >> anything like > > >> that? > > >> > > >> > > >> What I do - > > >> > > >> Files for restricted access are outside the web root. > > >> php wrapper script verifies the credentials of user to download the > > >> file (IE via a post token, session ID, etc.) and if allowed, it > then > > >> sends the real file. > > >> > > >> I use mod_rewrite (apache) to send requests for the real file to > the > > >> php wrapper script so that the linked file has the same name as the > > >> real file (lets me use the same wrapper for lots of different > files). > > >> > > >> As far as load on the server, no - I don't think it costs a lot as > > >> far as system resources. > > >> > > >> > > >> > > >> Thank you for the fast answer. > > >> > > >> I'm doing the same regarding the php wrapper layer, but the thing is > that > > >> I just don't know what verification exams should I do in the php > wrapping > > >> layer. > > >> I'm not sure what is the way that it should be done. > > >> > > > > > > I check the referrer, assuming no other credential is required, if it > is > > > from an approved site or not sent (some people disable sending the > > > http_referrer in their browser), I allow it. Otherwise I don't. > > > > That should be fine for downloading files. There will be an issue if > they are media files and you want to play them from a browser plugin, as > no plugin I've ever seen actually passes the referrer header. > > > Ash > www.ashleysheridan.co.uk > > I'm sending downloading headers, there will be no options of playing it from the browser's plugin. Thank you both for your comments. I have decided that referrer check is enough for now :) Nitsan
