Geek Answers Handbook

Protecting downloads on a remote server

I have 2 servers. On server 1, I have a WordPress site. On server 2, I have large .zip files that I want members from the WordPress site to be able to upload.

How can I authenticate these users so that only people who are members of the website can upload files from the second server?

Is it possible to use PHP so that only referrers from my domain have access to the files?

Note. Links for downloading files are protected on the Wordpress website, so users without registration are redirected to the connection page. However, current and former members will still know the directory where the files are downloaded, and possibly upload files or share links.

+4
source share
2 answers

There are several ways to do this. The safest way would be to have some internal communication between server 1 and server 2. But here is an easy alternative:

Server 2: download.php

<?PHP $file = $_GET['f']; $code = $_GET['c']; $ip = $_SERVER['REMOTE_ADDR']; if ($code != md5($ip . 'salt')) { die('authentication denied'); } if(!file) { die('file not found'); } // Set headers header("Cache-Control: public"); header("Content-Description: File Transfer"); header("Content-Disposition: attachment; filename=$file"); header("Content-Type: application/zip"); header("Content-Transfer-Encoding: binary"); // Read the file from disk readfile('/files/downloads/' . $file); ?>

Server 1: download link

 <?PHP echo '<a href="http://server2.com/download.php?f=text.txt&c=' . md5($_SERVER['REMOTE_ADDR'] . 'salt') / '">Download File</a>'; ?>

This system works by creating a link that can only be used on the IP address for which it was created. Thus, a registered user cannot use the link elsewhere. This is not the safest thing, but it is easy to implement and will work.

+6
source

Some neat solution might be to use a token system based on the current time. You can take the current hour of the day and use it with some salt and put in the query string as a token. Than php script on the second server can check if the request hash string is the same as the hash generated for the current hour of the day with the same salt on the server side.

To make sure that the user does not hit the clock switch, you can check the previous hash.

This makes you sure that the url file will not be available for more than two hours with a guaranteed availability time of one hour.

On server 1:

 <?php echo '<a href="server2.com/download.php?token='.md5(date('G')+'secret_word').'&file=file.zip">Link</a>'; ?>

On server 2:

 <?php current_hour_hash = md5( date('G').'secret_word' ); previous_hour_number = ( int(date('G')) - 1 ) % 24; previous_hour_hash = md5( str(previous_hour_number).'secret_word' ); if($_GET['token']!= current_hour_hash and $_GET['token']!= previous_hour_hash){ die(); }else{ ... //code sending file here }
+1
source

More articles:


All Articles