Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
611 views
in Technique[技术] by (71.8m points)

.htaccess - Help securing files access with htaccess and php?

I'm working on a site that allows users to purchase digital content and have implemented a method that attempts to serve secure downloads.

I'm using CodeIgniter to force downloads like this:

$file = file_get_contents($path);

force_download("my_file_name.zip", $file);

Of course, I make sure the user has access to the file using a database before serving the download, but I was wondering if there was a way to make these files more secure.

I'm using a some 8-10 letter keys to create the file paths so urls to the files aren't exactly easy to figure out... something like http://mysite.com/as67Hgr/asdo0980/uth89.zip in lieu of http://mysite.com/downloads/my_file.zip.

Also, I'm using .htaccess to deny directory browsing like so: Options All -Indexes.

Other than that... I have no idea what steps to take. I've seen articles suggesting username and password methods using .htaccess, but I don't understand how to bypass the password prompt that would occur using that method.

I was hoping there might be a method where I could send a username and password combination using headers and cUrl (or something similar), but I wouldn't know where to start.

Any help would be hugely appreciated. Thanks in advance!

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

Make it so the web server does not serve the files under any circumstances, otherwise all the checking is pretty moot. The best way to do that is to put them somewhere outside the webroot. I.e.:

/
  webroot/         <- root web directory, maybe named www or similar
    index.php      <- your app, served normally
    …other serve-able files…
  files/           <- not part of the serve-able webroot dir
    secret_file    <- web server has no access here

Then, if the only way to access them is through your script, it's as secure as you make your script.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...