Comments on: How do I keep sneaky website users from accessing files directly?

Question: How do I keep sneaky website users from accessing files directly?

jpoulos — Mon, 06 Apr 2009 07:12:51 -0800

How do I keep sneaky website users from accessing files directly?

I have a site (apache, php, mysql) where users can purchase podcast videos and mp3s. When the user brings up a video page, it checks (via php/mysql) to see if he/she is allowed to view that video. I've had a problem, however, with users viewing the page source and sharing the url of the video file they find there with others. Can I (a) obscure the url using javascript or something so they can't see the actual filename or (b) do something server-side to prevent direct access of the files or (c) something else?

By: larsks

larsks — Mon, 06 Apr 2009 07:15:29 -0800

Your problem is that you have the files inside your document root where they are accessible as static content. You need to move them outside of your document root and mediate access to them through a CGI script or similar. That is, the *script* needs to be responsible for reading content from the files and passing it back to the client -- this means that you can always check whether or not the user is authorized.

By: le morte de bea arthur

le morte de bea arthur — Mon, 06 Apr 2009 07:25:20 -0800

Seconding larsks

Your best best is probably to store the files outside the web root. Then write a PHP script using the readfile function to read the file and output it.

Then, rather than putting a link to your video of mp3 in your html, you can put a link to the php script instead, which can contain whatever validation you need, and can even output a different file if users are not authorised. One extra thing you'll need is ensure that you add the appropriate headers (including mime type) to the file your script is 'impersonating'.

By: cmiller

cmiller — Mon, 06 Apr 2009 07:52:52 -0800

Yep, if you're not using HTTP authentication, then you need a program to check auth and then spoon-feed them the request results.

Be sure to set the correct MIME type! Oh, and if it's supposedly downloadable, you may have some truly terrible I-E ugliness to work around.

By: ook

ook — Mon, 06 Apr 2009 08:29:30 -0800

obscure the url using javascript or something so they can't see the actual filename
This will only block the most casual of users; obfuscated javascript can easily be unobfuscated by just copying your script and running it against the scrambled name to see the result. (Or they could just bypass it entirely by watching their outgoing traffic to see the filename instead of viewing source.)

The technique suggested by larsks, le morte, and cmiller is the best one. Another (simpler but imperfect) strategy is to frequently randomize the filename, and/or to use a unique filename per user (which doesn't prevent sharing, but lets you know which of your users is doing it...)

By: jpoulos

jpoulos — Mon, 06 Apr 2009 10:56:42 -0800

Thanks, all. You've pointed me in the right direction.

By: MesoFilter

MesoFilter — Mon, 06 Apr 2009 11:48:21 -0800

Short term you can set up an .htaccess file which will require that in order to get a file from your domain, the referrer (the browser tells the site where it just came from) has to be on your domain.

Google for "htaccess" and "referrer checking."

This isn't a long-term solution because it can be spoofed & it's not really secure, but for simple friends-passing-links-on-to-friends, it should be fine.