-1

I have to restrict direct downloading any file inside the directory in the webserver. Also, should allow to download through server script generated encrypted URL.

For example,

Directory path of the file: /home/downloads/password.txt

URL: http://www.sitename.com/downloads/password.txt

Direct access to the URL must be restricted. But, should allow to download through server generated encrypted URL.

For example,

<a href="http://www.sitename.com/xxxxxxxxxxx.php">Download</a>

The actual server script to control downloads will be,

http://www.sitename.com/private/download.php

But, direct access to that URL (shown above) should be restricted. So, that there will be no permanent link to access directly.

ak-SE
  • 980
  • 1
  • 7
  • 27
  • I tried to use the previously posted questions, [How to allow downloading files with PHP, but deny direct access to directory listings](http://stackoverflow.com/questions/29957720/how-to-allow-downloading-files-with-php-but-deny-direct-access-to-directory-lis), [PHP: How can I block direct URL access to a file, but still allow it to be downloaded by logged in users?](http://stackoverflow.com/questions/7127153/php-how-can-i-block-direct-url-access-to-a-file-but-still-allow-it-to-be-downl) – ak-SE Jan 28 '16 at 08:42
  • 1
    i think you misunderstood. SO is here to help you with problems in your code, not to create your software concepts for you. so: what have YOU tried to achieve this, not counting asking other people to do it for you? – Franz Gleichmann Jan 28 '16 at 08:44
  • @FranzGleichmann You have misunderstood. I know to restrict direct file access inside the directory using .htaccess. Also, I know to restrict direct PHP file access inside the directory from the URL. But, I have to generate random URL or encrypted URL (not permanent) for each downloads only through accessing the web page. – ak-SE Jan 28 '16 at 08:51
  • 1
    so yes - what have you tried to achieve the generation of those random URLs? what is the actual code you've written that you have problems with? – Franz Gleichmann Jan 28 '16 at 08:53
  • I can able to encrypt or generate URL. But, it will deny access to actual URL because it is restricted. – ak-SE Jan 28 '16 at 08:57
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/101852/discussion-between-ak-se-and-franz-gleichmann). – ak-SE Jan 28 '16 at 08:59
  • Your best bet is to save the original file above the webroot (not publicly-accessible) and have your script stream that file. – Mike Rockétt Jan 28 '16 at 13:09
  • [MikeRockett](http://stackoverflow.com/users/1626250/mike-rockett) Can you give an example? – ak-SE Jan 28 '16 at 13:13

1 Answers1

1

Encryption is almost always a bad choice for URL parameters.

Instead of http://www.sitename.com/xxxxxxxxxxx.php just make it http://www.sitename.com/download.php?onetimecode=[32 hex characters] and make sure you use bin2hex(random_bytes()) to generate the token.

Store the actual data you're trying to protect outside of your document root to prevent direct object access, only allow a valid one-time code to supply access to this code.

Scott Arciszewski
  • 33,610
  • 16
  • 89
  • 206