How do I keep sneaky website users from accessing files directly?
April 6, 2009 7:12 AM Subscribe
How do I keep sneaky website users from accessing files directly?
I have a site (apache, php, mysql) where users can purchase podcast videos and mp3s. When the user brings up a video page, it checks (via php/mysql) to see if he/she is allowed to view that video. I've had a problem, however, with users viewing the page source and sharing the url of the video file they find there with others. Can I (a) obscure the url using javascript or something so they can't see the actual filename or (b) do something server-side to prevent direct access of the files or (c) something else?
I have a site (apache, php, mysql) where users can purchase podcast videos and mp3s. When the user brings up a video page, it checks (via php/mysql) to see if he/she is allowed to view that video. I've had a problem, however, with users viewing the page source and sharing the url of the video file they find there with others. Can I (a) obscure the url using javascript or something so they can't see the actual filename or (b) do something server-side to prevent direct access of the files or (c) something else?
Best answer: Seconding larsks
Your best best is probably to store the files outside the web root. Then write a PHP script using the readfile function to read the file and output it.
Then, rather than putting a link to your video of mp3 in your html, you can put a link to the php script instead, which can contain whatever validation you need, and can even output a different file if users are not authorised. One extra thing you'll need is ensure that you add the appropriate headers (including mime type) to the file your script is 'impersonating'.
posted by le morte de bea arthur at 7:25 AM on April 6, 2009 [1 favorite]
Your best best is probably to store the files outside the web root. Then write a PHP script using the readfile function to read the file and output it.
Then, rather than putting a link to your video of mp3 in your html, you can put a link to the php script instead, which can contain whatever validation you need, and can even output a different file if users are not authorised. One extra thing you'll need is ensure that you add the appropriate headers (including mime type) to the file your script is 'impersonating'.
posted by le morte de bea arthur at 7:25 AM on April 6, 2009 [1 favorite]
Yep, if you're not using HTTP authentication, then you need a program to check auth and then spoon-feed them the request results.
Be sure to set the correct MIME type! Oh, and if it's supposedly downloadable, you may have some truly terrible I-E ugliness to work around.
posted by cmiller at 7:52 AM on April 6, 2009
Be sure to set the correct MIME type! Oh, and if it's supposedly downloadable, you may have some truly terrible I-E ugliness to work around.
posted by cmiller at 7:52 AM on April 6, 2009
obscure the url using javascript or something so they can't see the actual filename
This will only block the most casual of users; obfuscated javascript can easily be unobfuscated by just copying your script and running it against the scrambled name to see the result. (Or they could just bypass it entirely by watching their outgoing traffic to see the filename instead of viewing source.)
The technique suggested by larsks, le morte, and cmiller is the best one. Another (simpler but imperfect) strategy is to frequently randomize the filename, and/or to use a unique filename per user (which doesn't prevent sharing, but lets you know which of your users is doing it...)
posted by ook at 8:29 AM on April 6, 2009
This will only block the most casual of users; obfuscated javascript can easily be unobfuscated by just copying your script and running it against the scrambled name to see the result. (Or they could just bypass it entirely by watching their outgoing traffic to see the filename instead of viewing source.)
The technique suggested by larsks, le morte, and cmiller is the best one. Another (simpler but imperfect) strategy is to frequently randomize the filename, and/or to use a unique filename per user (which doesn't prevent sharing, but lets you know which of your users is doing it...)
posted by ook at 8:29 AM on April 6, 2009
Response by poster: Thanks, all. You've pointed me in the right direction.
posted by jpoulos at 10:56 AM on April 6, 2009
posted by jpoulos at 10:56 AM on April 6, 2009
Short term you can set up an .htaccess file which will require that in order to get a file from your domain, the referrer (the browser tells the site where it just came from) has to be on your domain.
Google for "htaccess" and "referrer checking."
This isn't a long-term solution because it can be spoofed & it's not really secure, but for simple friends-passing-links-on-to-friends, it should be fine.
posted by MesoFilter at 11:48 AM on April 6, 2009
Google for "htaccess" and "referrer checking."
This isn't a long-term solution because it can be spoofed & it's not really secure, but for simple friends-passing-links-on-to-friends, it should be fine.
posted by MesoFilter at 11:48 AM on April 6, 2009
This thread is closed to new comments.
posted by larsks at 7:15 AM on April 6, 2009 [2 favorites]