Http_referer

JL2k

Hi,
I've been reading around, and I've noticed that HTTP_REFERER doesn't always return the correct information, depending on the browser, and can also be spoofed.
Now, I was wondering if there was another way to detect where the user is coming from?
What I am trying to do, is only allow certain users to download certain files.
What would be the best way to do this, I have thought that it may be possible to store the file in a database, and access the file via a query, but I should imagine this may create a rather high load on the server...
Any other ideas?
I am running Apache 2.0.44 with PHP 4.3.0 as a Module on Windows XP.
Thanks,
Jamie

bretticus

Forgive me for not being well read on the subject. I do believe however that it's the browsers responsibility to send the HTTP_REFERER header (as you stated). I don't see how this information could be retrieved in any other form if the browser does not send it. Judging by you requiring HTTP_REFERER as a prerequisite meaning perhaps you want them to visit a certain page before coming to your download page, why not just used cookies?

bretticus

The best way to ensure that only certain users download certain files is to use HTTP authetication, cookies, or sessions giving each user a unique username and password. If you need more advice on this, I'll ask you to consult PHP Manual . I would use a database server to manage user accounts such as MySQL. They have a Manual at their site too.

JL2k

In a way, yes.
I am already using cookies to make sure that user can only access the download page once he is logged in etc...
The problem I am having, is if I was to just give the user the download link, then it could be passed on, and anyone could download from it without being a member of the site.

I'm assuming the function I want would have to be done through some sort of .htaccess file (though it wouldn't be called that since I am using windows)

Say I have a game.exe file in the downloads folder, I only want that file to be accessible when that user is logged in, and re-directed from the download page (hence my inital thoughts of HTTP_REFERER - though I now realise it's not going to be possible to use that anyway)

Cheers,
Jamie

JL2k

I've just been browsing through some old forum posts, and I came across this useful post:
http://www.phpbuilder.com/board/showthread.php?s=&threadid=10228491

So, problem solved!

Thanks!
Jamie

bretticus

Right,

So instead of the link going to a PHP parsible page where you can control whether it can be accessed via cookie, you were referring to binary files for download. Why didn't you just say so?🙂

Glad that post had the info you needed.

bretticus

Whoops, i guess you did! My bad!