Reputation: 5791
How can I protect my site from being leeched?
I am using the header function of PHP
to send the file to the browser with some small code. Its work well
and I have it so that if any one requests it with a referer other than my site
it redirects to a page first.
Unfortunately it's not working with the internet download manager.
What I want to know is how the rabidshare and 4shared sites do this.
Upvotes: 0
Views: 259
Answers (4)
Reputation: 6155
The problem probably is that sending file through php script (with headers you mentioned) doesn't support starting file download at certain position. Download managers use this feature to download file using several simultaneous threads (assuming server gives one thread at certain speed).
For small project I would recommend making a copy of file with unique filename just for download time and redirecting user to this copied file. This way he gets full server download features and it also doesn't load processor as php does. Disadvantages - more disk space required and need to cleanup download directory.
Upvotes: 1
Reputation:
A typical design pattern is using a front controller to have a single entry point for all requests. By having a front controller, you can control exactly what the client sees.
You can configure this in Apache so that all requests go through a single file (it's been a while since I've done this because I now concentrate on Java). I think you would need to look at pathinfo documentation for Apache.
This might require a significant change in the rest of your application code. But, the code will be more secure and maintainable in the long run.
I've served images and other binary files through this pattern. This allowed me to easily verify users were authenticated before actually sending them the file. Obfuscation is not security, so if you rely on obfuscating your URL, an attacker may be delayed in getting in, but it is just a matter of time.
Walter
Upvotes: 2
Reputation: 319
Not all browsers / softwares that can see web pages will send a Referer to your server. Some sites will make a browser "fingerprint", usually hashed, which might be Referer, User-Agent and a couple of other headers strung together to make a uniquie identifier for that user and thus restrict access as you describe.
Of course, I may have completely missed the point of your post!
Upvotes: 2
Reputation: 1341
You could use sessions to make sure the download is being requested by a valid user.
Upvotes: 2
Related Questions
- how to secure my website
- How can I protect my php, jquery, ajax requests from hackers?
- Best approach to handle attempting to hack a website
- How to secure my PHP webpage from unauthorized Users
- How to secure PHP website (not yet uploaded in the internet)
- How to Secure My Code
- Securing my site
- Securing a website
- How can I protect my PHP code?
- How to protect web site against hackers?