Home / Questions / 35037
Accepted
Diablo
Asked: 2020-11-22 06:54:44 +0800 CST 2020-11-22 06:54:44 +0800 CST

Is there a way to protect a download file from a protected page?

  • 772

I put an analysis to my question, we imagine that we have a loginwhere the user logs in, and is redirected to a page protected by a session. The protected page could look something like:

if (isset($_SESSION['usuario'])) {  
    if (!filter_var($_SESSION['usuario'] ?: '', FILTER_VALIDATE_INT) === false) {
          $id_usuario = $_SESSION['usuario'] ?: '';
    } else {        
          //Destruimos sesion.
         session_destroy();
         //Redirigimos a login.
         header('location: tulogin.php');
         exit();
    }   
} else { //Caso Falso, Redirigimos a login.
    header('location: tulogin.php');
    exit();
}

Now comes my question, is there any way to protect files from downloads on the protected page by users who are not logged in or are not registered.

<a href="http://descargar.php/archivo_winrar.rar">Descargar</a>

Since if one obtains the address of our website, they URLcould download said content without having access. A practical example with explanation would be interesting, thanks in advance.

php

3 Answers

  1. You could solve this if instead of directly linking the file, you linked to a download page that takes a file identifier as a parameter.

    On that download page you could follow an algorithm like this:

    1. Check that the file identifier is valid (eg in a database)
      1. If not, show error message and exit
    2. Check that the user is registered
      1. If not, redirect to login
    3. Sets the values ​​of headerto those of the type of file to return
    4. read the file
    5. return the file

    The user will have the impression that the file is downloaded, but if he shares the link with a user who is not registered and logged in , it will not work.

    • 1
  2. Best Answer

    Save the file with the proper permissions so that no one can access it directly.

    After verifying that the user is registered, you can download the file.

    <?php
session_start();

if (isset($_SESSION['usuario'])) {

    $file = '/directorio/archivo_winrar.rar';

    header('Content-type: application/x-rar-compressed');
    header('Content-length: ' . filesize($file));
    readfile($file);

} else {

    echo 'No tienes permiso para la descarga';
}

    Source: Allow logged in user to Download File

    • 1

  3. What I would do is put the file in a folder with "encrypted name" and change it every time a download is made, save that "encrypted-name" in a mine table and that's it.

    For example. I put the file in a folder named "a574930fg09" and save that name in a table. When an enabled user wants to download it, he accesses the link "/a574930fg09/superarchive.png".

    That link can change either every day or every 10 minutes... or whenever you want! and only the system knows the link. If someone wants to share that link, it will only serve for "the renewal time" which is not usually very useful.

    • 0