Prevent Download Via URL

Question

I currently have a PHP file asks you to login using a MySQL database. Once logged in, 3 links appear allowing me to download files. Although, if I access the file directly it will download without having to login. How would I prevent people from downloading via the URL bar, but still allow JavaScript to download the file?

If this isn't possible, is there something else I can do to allow download? For example, using PHP to download instead of JavaScript? I know JavaScript is client side, so I wonder if that will prevent it from accessing the download.

I can't really give much code, but here is the JavaScript that downloads it. The link basically calls the downloadLink function;

    var downloadURL = function downloadURL(url) {
     cLog("STDOUT: Attempting Download Of File: "+url);
    var hiddenIFrameID = 'hiddenDownloader',
        iframe = document.getElementById(hiddenIFrameID);
    if (iframe === null) {
        iframe = document.createElement('iframe');
        iframe.id = hiddenIFrameID;
        iframe.style.display = 'none';
        document.body.appendChild(iframe);
    }
    iframe.src = url;
};

function downloadLink(fileLink) {
    if (fileLink) {
         cLog("STDOUT: File Link: "+fileLink);
        downloadURL("/DownloadAssets/"+fileLink);
         cLog("STDOUT: Function Finish, File Should Be Queded");
    } else {
         cLog("ERROR: No File Link");   
    }
}

Answer 1

First you need some 'login system' to your site. Then you need Apache web server (or other that handle 'rewrite mod' rules, but in Apache configuration is super simple [just craete .htaccess file]).

All you need to do is to block access to files in folder with files (and give it only to logged users).

1. Create file .htaccess (hard to do on Windows [that name of file], try to download that file from internet) in folder with files to download with content:

http://paste.ots.me/562452/text

(this .htaccess file should redirect all HTTP requests to that folder to file download.php )

2. Create download.php file with content:

http://paste.ots.me/562451/text

// for unknown reason I cannot paste code in post.

Answer 2

Basically, you can't.

An HTTP server has absolutely no idea whether any given HTTP request is coming from the browser URL bar, an iframe in a page or from Javascript code. They are all just HTTP requests.

If you want to allow some types of access and prevent other types of access, then you have to implement access control on your server so that the HTTP request is not fulfilled unless the proper credentials are provided.

The challenge with the browser environment is that pretty much nothing in your client side code is secure (it is all available for inspection by anyone) so a determined hacker will be able to find any secret codes you put in your client-side javascript to be used as credentials and they can then use them whenever.

---

I can't tell exactly what you're really trying to do, but sites that want to provide downloads to only certain users, often do something like this:

1. Make the user login to your site
2. This provides a unique user ID in their cookie that comes with all HTTP requests from that user.
3. Then coin a unique download URL with some unique codes in it.
4. In your own database server-side, create a record that associates those download URL codes with the user ID that they belong to.
5. When an HTTP request comes in for that unique download URL, your server extracts the download codes from the URL, extracts the userID from the cookie with the request, looks the codes up in the database and check is this is the correct userID for those codes.
6. If they match, the server serves up the appropriate download file.
7. If they don't match, the server serves up a file advising the user that they are not authorized to download that file and instructs them what they have to do to obtain authorization.
8. A server will typically expire these download codes after some short period of time (e.g. a few days) so they can only be used in the short term.

This technique makes it so there is no universal download link that every one can use and it prevents one user from sharing the download link with other users.

This technique will not attempt to discern the difference between someone typing a request in a browser URL bar vs. one coming from an iframe or one coming from a Javascript request and generally, there should not be a need to know the difference. Any content that can be gotten any of these ways can be used the same so there is no real security benefit to allowing only one way and preventing the others.

Answer 3

This isn't really something you solve with javascript, since that is run client-side. When you have users login, you would need to place a cookie in their jar that signifies that they've logged in. On your webserver, only allow people to access that URL that have that auth cookie.