Im building a "premium" section of my site and Im in a need to give download access to files in a remote directly (on a different server), to users with special privileges (accounts stored in mysql db). My site is coded in php/mysql so a php solution would be great.
views:
107answers:
4
+3
A:
direct all download links to a php file that'll do all the credential checking.
you can call the file download.php
pass along parameters via cookies, get, post, session, or whichever manner you verify privileges.
once credentials are verified, you can send an appropriate header.
if it's an image, the header would be header("Content-type: image/jpeg");
i'm assuming that you also own this remote server.
some useful links:
pxl
2009-10-11 07:22:12
With this solution take care to protect downloading of the file by typing the URL directly in the address bar. For instance, either put the protected files in a dir outside the root of the web site or access directives to httpd.conf.
xanadont
2009-10-11 07:28:33
and if it's on another server anyway, you can build the file or retrieve the file for download in a lot of different ways. just remember that you won't be able to defend against the most determined downloaders.
pxl
2009-10-11 09:30:34
+2
A:
As @pxl said, you need to check for authorization and then output the correct mime type as an HTML header (like he said: header("Content-type: image/jpeg");)
Also, once you are done with that, you will need to output the actual contents of the file and it's size (in bytes) as such:
header("Content-Length: ".filesize("FILENAME")*1.001);
/* The *1.001 puts a nice buffer on the filesize, I read about it online.
Browsers will stop downloading exactly at the Content-Length, but if they go
over, it's not a big deal at all. */
readfile("FILENAME");
die();
Just make sure to store the file in a directory that is not accessible from the web.
HalfBrian
2009-10-11 07:28:11
yup, and you can retrieve that file from anywhere that the web server has access too.
pxl
2009-10-11 09:28:37
A:
Here's what I would do:
Built a PHP-SOAP-Sever on the remote server B that holds the files.
Whenever a user triggers a download on your main server A connect to the SOAP-Server on B and reserve a ticket for the user specifying an IP-address and the id/path of the file to download.
Server B will now create a ticketId(which should only be valid for a limited time) for this download and return it to A.
Server A redirects the user to Server B supplying the ticketId as a GET parameter
Server B now checks if the ticket was already used, is expired or if the user comes from the wrong IP. If none of them apply serve the file and mark the ticket as used.
Note: On server B don't keep PHP running while serving the file but use the X-Sendfile header instead. Otherwise the download might stop after the PHP max execution time.
André Hoffmann
2009-10-11 09:17:55