HTTP_REFERER + AntiLeech + Disable direct Type ins

xbaez

Hello
Here is my .htaccess file:

RewriteCond %{HTTP_REFERER} !^{[url]http:///url?mysite.(net|com)} [NC]
RewriteRule .(zip|rar|exe|tar|tgz|gz)$ - [NC,F]

Ok, problem solved, nobody can link to my downloads. Even my own users who's HTTP_REFERER is blank

BUT, if I add the following line:
RewriteCond %{HTTP_REFERER} !^$

THen those users will be able to download my files, BUT, direct type ins will also work.

My question is
1) How can I password protect the /download directory so that PHP will send the correct Apache user + password in the header (Location...) part of the script?

I was told that HTTP_REFERER was imperfect, and in fact, it is.

So I was told to password protect the directory, sounds a good idea

But how can I make this transparent for my users?

I mean, I want them to see the page, go click on a "Download" button, and the download should start

Mozilla users will be able to see the complete URL in their Download Manager, however, if they type it directly, they should get a "User and Password required".

So this should be the perfect solution, featuring:
1) Permission for my users with HTTP REFERERS
2) Permission for my users with blank HTTP REFERERS
3) Denial to direct type ins
4) Denial to linking from other sites

Any suggestion will be appreciate, I've been googling and php.netting for around 1:30 hours with no clue how to do this.

I just know that aparently you can't modify the HTTP_REFERER variable, so I'm in trouble.
And I don't know how to send the PHP_AUTH_USER and PASS with PHP.

Regards
Xavier

thorpe

um, not sure im 100% with you, but, couldn't (providing you have a login system on your site) lockdown the entire downloads directory and then use the [man]header/man function to create your download links?

im a bit over my depth here, but it seems feasable.

mrhappiness

code for all pages reachable directly via web browser

<?php
session_name('picprotecting');
session_start();

after that you have two different codes

code for all pages except the page showing the picture

//if he visits my page he is allowed to view the picutures
$_SESSION['has been to my site'] = true;

code for picture displaying page

if (isset($_GET['pic'])) {
  //we have a picture that is to be display
  //remove all but the filename (security)
  $_GET['pic'] = basename($_GET['pic'];
} else {
  //no pic provided
  $_GET['pic'] = 'nopic.jpg';
}
if (empty($_SESSION['has been to my site'])) {
  //user has not been to your site before
  //maybe he directly typed in the url
  $_GET['pic'] = 'nopic.jpg';
}
if (!empty($_SERVER['HTTP_REFERER']) and !preg_match('%^http://([a-z0-9-]+\\.)?mysite\\.(net|com)%siU', $_SERVER['HTTP_REFERER'])) {
  //referer was transferred but does not point to your site
  $_GET['pic'] = 'nopic.jpg';
}
// start displaying $_GET['pic']
// using header, readfile all that good stuff
// you will find if you only look for it ;)

hth

only thing i can think of:
a user visits your site, the $_SESSION get's updated and afterwards this user may be able to view your pictures linked by other pages if he does not send a referer

xbaez

Hey folks, thanks for your support

What I did was use a:

.htaccess
.htaccess_allow_blanks
.htaccess_disallow_blanks

So what I did, is check the referer,

if it's empty, then
copy the .htaccess_allow_blanks to .htaccess, download start

However, every time a user access my page again, copy the .htaccess_disallow_blanks to .htaccess, download start

Here, you can all try it:

http://downloads.gamingaccess.com/index.php?file_id=3448

You will probably see:

Authentic user: [OK]

else, you'll see

I can't verify that you're an authentic use, upgrading permissions... [OK]

Thanks for all the ideas, hope this can be usefull for somebody

I did passed a lot of months trying to figure out a 'perfect' anti-leech system is.