How to protect a download ?

[ciberyan]

Hello to all here

I have a reluctant problem solved for the moment by a simple HTACCESS
I have page with lot of download links
I DONT want to protect these paged themselves but the action of download
HTACCESS do the job but visitor has to enter pass and login for each files which is a pain
I look for a way to login on the website and to give access to the download
Everything I see is to protect page that contain the download links ant that's not what I look for.
I want the visitor know what he can find on the web site. I just want he register to get acces (validate) the dowload link itself

I hope to be clear ..

Thanks in advance for your attention

[Navaldesign]

Well, there are ways to do what you want in WB.

Create a page with the download links. The links should have this format:

download.php?id=1
download.php?id=2
etc,

where 1, 2 ........ n are integer numbers each one corresonding to each of the files that you want to allow download.

Then, create a php file with this code:

Code: Select all

<?php
error_reporting(0);

session_start();
if(!isset($_SESSION['username']))
{
   header('Location: deny_page.php'); // Replace "deny_page.php" with your actual denial page name
   exit;
}
$folder = "strangefoldername"; // This is the folder where your files are, make its name rather strange like "hJ68bkG9"

$file[1]= "filename1.pdf";
$file[2]= "filename2.doc";
$file[3]= "filename3.xls";
// Add as many as necessary

$file_name = $file[intval($_GET['id'])];
$file_path= $folder."/".$file_name;
$file_type = filetype($file_path);

$data = file_get_contents($file_path);
$file_size = strlen($data);

header("Pragma: public");
header('Expires: '.gmdate('D, d M Y H:i:s').' GMT');
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Cache-Control: private",false);

header("Content-type: Application/ $file_type");
header("Content-Disposition: attachment; filename=$file_name");
header("Content-Description: Download PHP");
header("Content-Length: $file_size");
header("Content-Transfer-Encoding: binary");

header('Expires: '.gmdate('D, d M Y H:i:s').' GMT');
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Cache-Control: private",false);
header("Content-Description: File Transfer");
header("Content-type: $file_type");
header("Content-Disposition: attachment; filename=\"$file_name\"");
header("Content-Description: Download PHP");
header("Content-Length: $file_size");
header("Content-Transfer-Encoding: binary");


$file = @fopen($file_path,"r");
if ($file) {
   while(!feof($file)) {
        $buffer = fread($file, 1024*8);
        echo $buffer;
    }
  @fclose($file);
}
?>

Copy the code in Notepad, Save As, select File Type: All files, and save as download.php. Of course, you need to change the first lines to include the real filenames, as well as your deny page (the same used in your login script). In the denial page inform the user that he has to be registered and logged in, and provide a link to the registration page and the login page. OR, if you don't use the login script for other purposes, make the denial page be the login and registration page.

This code will "see" if the user is logged in, and if yes, it will "read" the file and output it to the browser as download. If not logged in, it will send the user to the denial page.

Please note that the script will fail if the stat() function is disabled (it is, in certain hosting companies, for security reasons)

If that is the case, the script should include a second array with the MIME filetypes of the files.

[Navaldesign]

Demo: http://www.dbtechnosystems.com/wb6/download


Download the demo project:
http://www.dbtechnosystems.com/wb6/down ... wnload.zip


It is enough to place the files in a subfolder or in an upper level folder.
The updated download script will NOT display the folder, only the file name. So it would be quite secure.

[ciberyan]

Thanks for your idea

Can you explain a little bit the format of
$file[1]= "filename1.php";

let say my file is doc.pdf

how should I write this line ?

Thanks again

[Navaldesign]

Just replace "filename1.php" with "doc.pdf"

$file[1] = "doc.pdf";

If you open the download.php file included in the zip, it will become clear. Use Notepad if you don't have a php editor.

[ciberyan]

Thanks again for your time

[jerryco]

How to make this work for the Single Page Protect object?

[Navaldesign]

Replace this line:

if(!isset($_SESSION['username']))

with


if(!isset($_SESSION['password']))

[jerryco]

Beautiful. Thank you.

[ciberyan]

Naval, sorry to come back to you again ...

Is there a way to replace the button you are using by an hyperlink (text) or an image with a link ?

Thanks in advance

[me.prosenjeet]

Wow this is a real good thing to protect download links

[Navaldesign]

Naval, sorry to come back to you again ...

Is there a way to replace the button you are using by an hyperlink (text) or an image with a link ?

Thanks in advance

Certainly, you can use ANY type od link: image, text, button, anything, as long as you link it as per instructions.

[ciberyan]

Hello Naval

I am afraid to need your help once more time

Everything is ok as long as file are NOT .exe type
exe type will be downloaded but extension is truncated
Any way to avoid this ??

Thanks for your valuable help

[Navaldesign]

Yes, zip the .exe files.

[ciberyan]

Thanks anyway

Just have to redownload Mo of files ...

an "extension" version of this WONDERFUL piece of software would be great
(ie, instead of editing by hand the php file)

[ciberyan]

Hello Naval

I have very few users that complain that instead of downloading the target file, this downolad an empty file with the name of the php script itself ....

Any clue where I have to look ? as this never happen on my side

Thanks in advance

[Navaldesign]

These users are probably using a download manager. This type of software have this issue.

Only solution I can suggest is that when this download Manager window opens, they should click on Cancel. Immediately after that, the classic Windows download window will appear and they can download normally (save or open)

[ciberyan]

Hello Naval !

I am in big trouble as for an unknwon reason (at least for me !) the script is not working anymore suddendly ...

Each try to load a file resend me on the login page exactly as I was no logged then I am with no error from WB7

What can I do to check where can be the problem ?

You speak of the STAT() problem, how can I check if this is the issue ? any way to bypass that

Thanks in advance for your time and patience ...

[Navaldesign]

Let me understand this correctly.....

You are sying that actually the user can't log in and is always sent to the login page ?

If yes, and you have not changed anything, then probbaly the issue is that sessions are no longer preserved in your site.

Can you log in normally in other protected pages (not the download page) ? If not, it is (almost certainly) an issue with sessions, and you should ask your hosting company to check it.

[ciberyan]

Arghhh ...

It seems I cant log to any page protected

I have added a "logging name" tool to my redirect after logging page and it say : "Welcome Not logged in"
So this seems a problem on the site itself not in your code

To help during fixing, can you see a mean to systematically allow the download, logged or not ?
What should I add or modify in the PHP code of the page to do that
At least visitors will can download !

Thanks in advance

[Navaldesign]

Not sure what you are asking me....

If you want to allow download, to non logged in visitors, just remove the protection code from the downloader script, and you are done.

[ciberyan]

I think I have solved the last part by my self !

I put comment around the test so now users have allowed download up to I solve the last part with my provider !

Thanks

[me.prosenjeet]

You can easily protect the download while having a antivirus in your computer.And if you want to protect it while downloading than you must try internet downloader software.It will helps you in downloading files securely.

Elaborate please

[ciberyan]

Hello
It was some time before I come back again with my questions ...

The logging system works like a charm no problem BUT to avoid boring visitors unnecessarily, how can I, once logged in, stay logged even if the visitor close his browser and shut off his computer ??
is there a way to save that somewhere ?
with this system, when the visitor come back, he will be directly logged

Thanks in advance for you valuable idea !

[Pablo]

how can I, once logged in, stay logged even if the visitor close his browser and shut off his computer ??

This is not possible, unless you modify the code yourself.

[ciberyan]

Hello

Of which code are you speaking about ??

[Pablo]

Of which code are you speaking about ??

The code generated by Web Builder for the login tools.

[ciberyan]

Ok
Seems difficult
Offering this possibility could be interesting anyway

edit : Does a system using cookie can achieve that may be ?

[Navaldesign]

This might be due to server settings: memory_limit and buffer settings.

For big files there are different pieces of code that outut each chunk whithout buffering the entire file in memory. However, these are out of the limits of the free help I can provide in this forum.

[Navaldesign]

In just a few words: No
The download is not immediate but through the script that "reads" the file and outputs it to the browser, so it is slower than a direct download.

However the difference should be minimum and not visible to the user.

I don't know why the "Pause" button is disabled. Furthermore the script might have issues with Download Managers as they usually download an empty php file instead of the file itself.

[ciberyan]

Hello Naval

Dont know if still monitor this old thread but just in case ...

I have two problems (as usual ...)

a) whatever the type of file, zip, exe, pdf, the download box say " it is a file of type : PDF" ??

b) I seems have trouble to download big file (70 Mo) but 62 is ok; I got a file with zero bytes, any idea ?

Thanks anyway for your help already

[Navaldesign]

1) Only possible explanation is something wrong in your file names definition, lines

$file[1]= "filename1.pdf";
$file[2]= "filename2.doc";
$file[3]= "filename3.xls";
// Add as many as necessary


Check if the extensions used are correct.

2) There is no reason for this, at least not to my knowledge. Might be a server limitation ?

[ciberyan]

Thanks for your answer

Everything seems fine in the definition, and everything works well, just this TYPE wich is wrong even if the "Openw with ..." is ok



Anyway not a big deal !

For the file size, I need to check with my hoster, but will be complicate !

Thanks for all

[ciberyan]

Hello Naval
Hoping you still have an eye on this (old) thread
I try to improve my site step by step and discover recently the "Open link in Lightbox" function, which is working well

To make the process of download more fluent and not too complicate with multiples windows opening, I wonder if it could be possible to open the Login page in a lightbox ??
In this case the visitor stay on the downoload page (dimmed in the background) and when logging is filled successfullt, can click again the link to download

Hoping to be clear

[Navaldesign]

Yes, it is clear, however at the moment I unfortunately don't have the necessary time to see how / if this can be done. Maybe within a few weeks.

[ciberyan]

Having read it is already great !

Thanks for you time

[ciberyan]

Hello Naval

I dont know if you still monitor this old thread but unless someone can point me on the right direction for an equivalent feature, you are still my savior ... up to the last few days (weeks ?)

Since some time, strangely, the script stop working, keeping ro ask to logging even if already logged

Do you have an idea how I can debug that ? some variable to monitor ? I am really a noobs with php, keep it in mind

Thanks in advance for you valuable help

[Navaldesign]

Most probably it is a server issue with the "session_save_path".
Often hosting companies make PHP updates and they change the default settings.

To verify if this is the case, try loging in and visiting a protected page (which does NOT contain the script).
If you can't visit that either, most probably the issue is what I mentioned.

[ciberyan]

Hello Naval

Glad to see you are still ready to help

My site is handled on AWS, feel that the discussion will not be easy ...

Thanks anyway

[ciberyan]

Just as a follow-up, I, of course, get nothing from Amazon neither from my IT, which hate seeing individual insisting to have their own website

I have checked, and PHP does not have a session_save_path variable set in php.ini. It does, however, use /tmp/ on the server for temp session files, which we use in IT all the time, to keep users connected to their own profiles and accounts.

One thing to keep in mind is that when the site is live it is on multiple servers in multiple Amazon data centres, using load balancing, the load balancer will keep the user to the same server, while the session is alive, based on the SESSION_ID cookie, which PHP issues and uses.

> So your application needs to understand that it will need to use php sessions to keep to one server
> Our servers are refreshed at least daily, and thus you can not store files on the server today and expect them to be around tomorrow.

It is clearly a Session problem, the more weird is that the site is working well in the buffer zone on AWS and dont works when bring live

Dont know how I will end with that

[Navaldesign]

They are correct in saying that they use the /tmp directory and SHOULD work fine.
However, not always this is true.

Please test as I suggested and see if you can stay logged in a protected page (without the script), just to make sure that sessions work ok.