How do I keep sneaky website users from accessing files directly?
April 6, 2009 7:12 AM   Subscribe

How do I keep sneaky website users from accessing files directly?

I have a site (apache, php, mysql) where users can purchase podcast videos and mp3s. When the user brings up a video page, it checks (via php/mysql) to see if he/she is allowed to view that video. I've had a problem, however, with users viewing the page source and sharing the url of the video file they find there with others. Can I (a) obscure the url using javascript or something so they can't see the actual filename or (b) do something server-side to prevent direct access of the files or (c) something else?
posted by jpoulos to Computers & Internet (6 answers total) 9 users marked this as a favorite
Your problem is that you have the files inside your document root where they are accessible as static content. You need to move them outside of your document root and mediate access to them through a CGI script or similar. That is, the *script* needs to be responsible for reading content from the files and passing it back to the client -- this means that you can always check whether or not the user is authorized.
posted by larsks at 7:15 AM on April 6, 2009 [2 favorites]

Best answer: Seconding larsks

Your best best is probably to store the files outside the web root. Then write a PHP script using the readfile function to read the file and output it.

Then, rather than putting a link to your video of mp3 in your html, you can put a link to the php script instead, which can contain whatever validation you need, and can even output a different file if users are not authorised. One extra thing you'll need is ensure that you add the appropriate headers (including mime type) to the file your script is 'impersonating'.
posted by le morte de bea arthur at 7:25 AM on April 6, 2009 [1 favorite]

Yep, if you're not using HTTP authentication, then you need a program to check auth and then spoon-feed them the request results.

Be sure to set the correct MIME type! Oh, and if it's supposedly downloadable, you may have some truly terrible I-E ugliness to work around.
posted by cmiller at 7:52 AM on April 6, 2009

obscure the url using javascript or something so they can't see the actual filename
This will only block the most casual of users; obfuscated javascript can easily be unobfuscated by just copying your script and running it against the scrambled name to see the result. (Or they could just bypass it entirely by watching their outgoing traffic to see the filename instead of viewing source.)

The technique suggested by larsks, le morte, and cmiller is the best one. Another (simpler but imperfect) strategy is to frequently randomize the filename, and/or to use a unique filename per user (which doesn't prevent sharing, but lets you know which of your users is doing it...)
posted by ook at 8:29 AM on April 6, 2009

Response by poster: Thanks, all. You've pointed me in the right direction.
posted by jpoulos at 10:56 AM on April 6, 2009

Short term you can set up an .htaccess file which will require that in order to get a file from your domain, the referrer (the browser tells the site where it just came from) has to be on your domain.

Google for "htaccess" and "referrer checking."

This isn't a long-term solution because it can be spoofed & it's not really secure, but for simple friends-passing-links-on-to-friends, it should be fine.
posted by MesoFilter at 11:48 AM on April 6, 2009

« Older Imperialist apologies?   |   You ain't gonna get sick son! Newer »
This thread is closed to new comments.