Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Prevent direct url access to files

Tags:

html

security

php

.htaccess

file-access

Background info:

I am working on a website which will provide image and video content via a subscription service. That is, users should ONLY have access to the image and video content so long as they are logged in successfully. (Note: the log in system uses a combination of MySQL DB - to store the username and password - and php to create new user sessions / authentication etc.)

The problem:

How do I stop a user (logged in or not) from directly accessing the image and video files? For example, a user who is not logged in could access the file directly as follows: www.domain.com/testvideo.mp4 - this would render the video content in the browser for them to watch or share with others. (NOTE: I still need to be able to use / display the image and video files on-site via HTML, CSS, PHP etc)

I have tried several .htaccess solutions (including: RewriteCond/RewriteRule & .htpassword) which have successfully prevented direct access BUT have prevented the ability to use the files on-site via HTML, CSS, PHP etc.

I was thinking that this must be a very common problem and if so, what the best way to resolve it was?

like image 717
dw1991 Avatar asked Jan 31 '26 13:01

dw1991

1 Answers

It is a pretty common problem with a pretty common solution. In order to force access control you have to invoke a PHP script before serving the file and verify the credentials. Then, if the credentials are valid, serve the actual file.

You may be tempted to serve the file directly from PHP script using something like readfile. This is going to kill your server performance and break download resuming for the client.

Luckily there is a solution, when you can hand over the actual file serving back to the web-server.

This works as following:

  1. The web-server receives the request to /file.mp4.
  2. According to the rewrite rules you've set up it directs it to your PHP script /serve.php instead.
  3. Your script verifies the credentials, e.g. something from the session or cookies.
  4. If the credentials are valid, the script issues specially crafted header. It tells the web-server to actually serve the static file. If not, you may as well output a 403 HTTP code.

The example script can be something like:

$file = '/tmp/file.mp4'; // it is in your best interest to make this file  inaccessible for a direct download
header('X-Sendfile: ' . $file);
header('Content-Type: ' . contentType($file));
header('Content-Disposition: inline;');

In order for this to work you'll have to have mod_xsendfile (https://tn123.org/mod_xsendfile/) installed on your Apache, which is probably already the case for your hoster. You'll also have to drop in some lines to configure it and setup a proper rewrite.

You can fine a lot of stuff on Google by issuing "mod_xsendfile php", which might also help a great deal.

Hope that makes sense!

like image 132
SkyWriter Avatar answered Feb 02 '26 06:02

SkyWriter
Sign in to Comment

Related questions

No styles or images in initial Symfony2 installation?
Parsing NSString as JSON
php: repeat function call 2-3 times in catch()
How do I configure a 404 error page in MODX?
Laravel Observers - Any way to pass additional arguments?
Magento 2: Not showing customers in backend grid
Get HTML string from URL
composer: replace dependencies with local versions

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!