Protect download files

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I´m developping an application that needs to show some videos, but in
a protected envinroment. Any user must be authenticated to see the
videos. But for example, if anyone know the path of the videos, can
access directly to this site and download it without authentication.

If I write in the location bar the url of a video, I can download
without problem because the application cannot test if the user is
already authenticated or not. I´ve read something about RedirectMatch
and it works well but now the users cannot see the videos.

I try to write an example:

.- #I write this rule in the httpd.conf
RedirectMatch (.*)\.avi$

With this rule I redirect all the requests for the video files include
the request of a window media player, but I don´t want to do this.
When I show the video directly on the web, I don´t need to redirect
but when is a direct request from url to download the file, I must
check if the user is authenticated.

I hope that you can understand my bad english.

Fran García

Re: Protect download files

On Fri, 22 Jul 2005 05:11:04 -0700, fgarciarico wrote:

Quoted text here. Click to load it

Do one of the following:

1) Use Basic Auth in the .htaccess file

2) Use Basic Auth within PHP

I recommend number (1).  Of course, the trouble with that is that it is
outside any application logic.

You could try putting any .avi (or other protected files) outside the http
virtual directory path and then create a PHP shell app that just gets and
downloads the file for you.  (I know you said you are trying something
like this).  To do this you will need to use

header("Content-type: blah/blah");

where blah/blah is the correct content type

The important thing here is to put the .avi files (any protected files)
OUTSIDE the http virtual directory path!  So that one cannot just type in
a URL and get the file.

    JDS | jeffrey@example.invalid

Re: Protect download files

JDS wrote:
Quoted text here. Click to load it

put a .htaccess in your video dir containing the line:

deny from all

this will prevent any browser access in that dir

now deliver the videos to your users with a php script that

1. checks the credentials and
2. if ok, delivers the video via the servers filesystem, using i.e.
readfile (which is not affected by .htaccess)


Re: Protect download files

deliver_video.php has to be outside the video dir of course


Re: Protect download files

chotiwallah wrote:
Quoted text here. Click to load it

Or, better yet, put them below the document_root.  That way you're not depending  
on the .htaccess.

Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.

Re: Protect download files

I´ve thought something like that but I must show the video files into
a media player object in my web pages and I think that if the video
file isn´t on a valid url, I cannot show it. Or?

Re: Protect download files

On Tue, 26 Jul 2005 00:30:44 -0700, fgarciarico wrote:

Quoted text here. Click to load it

You can use a PHP file as the video file.  Just send the proper header.  
For example, I can use a PHP script as a JPEG or GIF image if I send the
proper header:

header("Content-type: image/jpeg");

AND if the content following is an actual JPEG image.

For example, say I have an image, "image.jpg".  I can read it into the PHP
script using one of the binary-safe file reading functions in PHP:

(I think this example will work)


/* ...Include authentication and security stuff here...*/

$file = "image.jpg";
$file_contents = file_get_contents($file);
header("Content-type: image/jpeg");
print $file_contents;

Now include getimage.php in your HTML page:

<img src="getimage.php">

You should be able to do the same with a video file.  Using the video
file's MIME type, of course, in the header.


    JDS | jeffrey@example.invalid

Site Timeline