Re: [PHP] Using PHP for accsess control, preventing access to static files
On Thu, October 27, 2005 11:05 am, Dan Trainor wrote: It's been suggested to use readfile() to accomplish this, by forwarding content from outside of the document root - but this just sounds odd. On top of being (what I think would be) incredibly slow, it just doesn't sound right. A) It's right. B) readfile is the same thing in PHP that Apache would do in Apache, basically: PHP::readfile == Apache::readfile So your overhead is a few function calls to the PHP Module, a load-up of your download.php script from the hard drive, and then a few function calls in PHP. Now, out of all that, the only thing expensive is download.php coming off the disk drive. If you have a PHP Cache of some kind (Zend Cache, et al) then this is cheap. If your OS/disk has a Cache, then this is cheap. If your server gets slammed and download.php isn't in RAM, then it gets expensive. Only stress tests on your server will tell you how expensive it will be, but its' not like the script will take you long to write: ?php session_start(); if (!$_SESSION['authenticated'])) header(Location: http://example.com/login.php;); $filename = $_GET['filename']; //scrub $filename better than this, but it's a start: $filename = basename($filename); readfile(/full/path/to/non/web/storage/area/of/downloads/only/$filenaem); ? That's pretty much it. Change it, test it, stress it, and see if PHP/readfile really slows you down compared to a direct download with no access control at all. I'm betting the answer is No If PHP is too slow, you've still got two good benchmarks to compare other solutions against, and it only took you, what?, a couple hours to develop them? -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using PHP for accsess control, preventing access to static files
Dan Trainor wrote: Hello, all - I'm designing a controlled access system in PHP, and it's coming along quite well. It's very simple, and just sets a session varibale, such as $_SESSION['authenticated'] = 1, not a whole lot. If you do this this, you must make sure you have some sort of session hijacking prevention in place. Now I run a small sniplet of code on the top of each HTML and PHP file, which checks for this variable, and either allows or denys access to the page. However, how do people protect against the downloading of real files, ones which are not parsed by PHP? .WMV, .MOV, .ZIP, .EXE and so on? I want to protect access to these as well, and if a visitor just types in a URL and is able to access the file because my access control mechanism simply doesn't work on those types of files, what should be the solution here? It's been suggested to use readfile() to accomplish this, by forwarding content from outside of the document root - but this just sounds odd. On top of being (what I think would be) incredibly slow, it just doesn't sound right. This works fine for me on one site I maintain, though not with readfile(). When testing readfile() always crapped out at around 2Mb, whereas fopen() and a while loop with fread() working perfectly, even for larger files (up to 200Mb). Not tested this on high traffic, though it all depends on how large you files are. -- Richard Heyes -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Using PHP for accsess control, preventing access to static files
Hello, all - I'm designing a controlled access system in PHP, and it's coming along quite well. It's very simple, and just sets a session varibale, such as $_SESSION['authenticated'] = 1, not a whole lot. Now I run a small sniplet of code on the top of each HTML and PHP file, which checks for this variable, and either allows or denys access to the page. However, how do people protect against the downloading of real files, ones which are not parsed by PHP? .WMV, .MOV, .ZIP, .EXE and so on? I want to protect access to these as well, and if a visitor just types in a URL and is able to access the file because my access control mechanism simply doesn't work on those types of files, what should be the solution here? It's been suggested to use readfile() to accomplish this, by forwarding content from outside of the document root - but this just sounds odd. On top of being (what I think would be) incredibly slow, it just doesn't sound right. Thanks! -dant -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using PHP for accsess control, preventing access to static files
I'm designing a controlled access system in PHP, and it's coming along quite well. It's very simple, and just sets a session varibale, such as $_SESSION['authenticated'] = 1, not a whole lot. Now I run a small sniplet of code on the top of each HTML and PHP file, which checks for this variable, and either allows or denys access to the page. However, how do people protect against the downloading of real files, ones which are not parsed by PHP? .WMV, .MOV, .ZIP, .EXE and so on? I want to protect access to these as well, and if a visitor just types in a URL and is able to access the file because my access control mechanism simply doesn't work on those types of files, what should be the solution here? It's been suggested to use readfile() to accomplish this, by forwarding content from outside of the document root - but this just sounds odd. On top of being (what I think would be) incredibly slow, it just doesn't sound right. I had a similar issue. I ended up using a .htaccess so that you could not open the file directly. If checked for the referrer. This is not the most secure way to do it. I know it can be spoofed. IndexIgnore * SetEnvIfNoCase Referer ^http://example.com/viewer.php; local_ref=1 Order Allow,Deny Allow from env=local_ref Jason Motes php at imotes.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using PHP for accsess control, preventing access to static files
Jason Motes wrote: I'm designing a controlled access system in PHP, and it's coming along quite well. It's very simple, and just sets a session varibale, such as $_SESSION['authenticated'] = 1, not a whole lot. Now I run a small sniplet of code on the top of each HTML and PHP file, which checks for this variable, and either allows or denys access to the page. However, how do people protect against the downloading of real files, ones which are not parsed by PHP? .WMV, .MOV, .ZIP, .EXE and so on? I want to protect access to these as well, and if a visitor just types in a URL and is able to access the file because my access control mechanism simply doesn't work on those types of files, what should be the solution here? It's been suggested to use readfile() to accomplish this, by forwarding content from outside of the document root - but this just sounds odd. On top of being (what I think would be) incredibly slow, it just doesn't sound right. I had a similar issue. I ended up using a .htaccess so that you could not open the file directly. If checked for the referrer. This is not the most secure way to do it. I know it can be spoofed. IndexIgnore * SetEnvIfNoCase Referer ^http://example.com/viewer.php; local_ref=1 Order Allow,Deny Allow from env=local_ref Jason Motes php at imotes.com Thanks for the reply, Jason - I'd like to keep the application as portable as possible; thus, I cannot use any kind of htaccess hackery because I want this PHP application to run on IIS, as well. Thanks -dant -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php