Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How do I serve a downloadable file online without exposing the physical path?

Tags:

c#

php

asp-classic

I'm serving up documents that require the user to register before download. Currently, once you register and login, the links to the documents are displayed as:

myurl.com/docs/mypdf.pdf

So the physical path to the document is exposed to anyone logged in. What is the best practice for keeping the physical path to the document hidden so registered users can't share direct links with unregistered users or post direct links to the documents elsewhere?

EDIT: I was just looking for an idea that was language agnostic so I chose a few of my favorite languages for the tags. The actual implementation in this case is ASP classic. I'm currently using a download wrapper script that confirms the user is logged in before redirecting to the actual document URL. I just didn't include it in my question for simplicity.

like image 412
Cory House Avatar asked May 15 '09 15:05

Cory House

3 Answers

Don't do that. Instead keep the files somewhere outside the document tree and then make them accessible using a script (eg, php, .Net, whatever)

The script can check if they are logged in, validate if they are allowed the file, and if so return it. The path they go to might look more like this... /download.php?file=mypdf.pdf

Something along the lines of...

<?php
if (IsUserLoggedIn())
    readfile('/secret/path/to/file/mypdf.pdf');
?>
like image 71
Rik Heywood Avatar answered Sep 30 '22 08:09

Rik Heywood

The best way is to read the file up from a non-web accessible path and write it to the output stream.

This seemed to show an OK example in php which you seemed to be using? Just add security check to top of php and kick them out if they are not authorized.

http://www.higherpass.com/php/Tutorials/File-Download-Security/

like image 40
j0tt Avatar answered Sep 30 '22 06:09

j0tt

the best way to do that is to use a php/asp or serverside scripting file that reads the document a location that isnt available to the outside

that file then can check if the user is logged in and it can also hide the path to the physical file

so the url would be www.yourwebsite.com/file.php?file=image.png

file.php would verify that the user is logged in then it would read the file or redirect them to the login page

like image 28
Jim Avatar answered Sep 30 '22 06:09

Jim
Sign in to Comment

Related questions

how many numbers between 1 to 10 billion contains 14
C# error With ExcelDataReader
How to use C#8 IAsyncEnumerable<T> to async-enumerate tasks run in parallel
What are the most useful (custom) code snippets for C#? [closed]
How to eliminate flicker in Windows.Forms custom control when scrolling?
Dictionary<string, MyObject> or List<MyObject> with C# 3.5?
Is using StringBuilder Remove method more memory efficient than creating a new StringBuilder in loop?
Changing connection string at runtime in Enterprise Library
C# interop: excel process not exiting after adding new worksheet to existing file [duplicate]
What is the different between API functions AllocConsole and AttachConsole(-1)?
Programmatically limit CPU Usage of a Thread running inside a Service
Using MemoryStream to write out to XML
Is there a way to dynamically execute a string in .net, similar to eval() in javascript or dynamic sql in sql?
Practical usage of partial keyword in C#
Is it possible to post code taken from the .net framework and modified online? [closed]
How do I use the MS DIA SDK from C#?
What to return from a failed method and when to throw?
How to download an image from web showing the progress of the download in c# using winforms?
Single click to open menu for tray icon in C#
How do I programmatically select a tab on a .NET CF TabControl?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!