1

I'd like to protect some files with a session Authentication. Some files can be viewed by users, some not.

I've impelemented a solution with mod_rewrite and readfile(). My problem is that this function will use a lot of ram and the server goes down when more users download files.

I tried this: 1) Pass a file trough the php handler and use the prepend function. It doesn't work because when the prepend php file finished the handler process the file, and in my case the handler was blocked because of invalid ASCII chars. I couldn't manage to stop the handler from processing but output the file. 2) Put the session, ip and the folder name in a temporary file what I tried to check in my nginx.conf to exclude from rewriting. I failed because I was not able to extract only the folder name in nginx into a variable.

How can I solve this problem? Has anyone a suggestion?

Thanks

brokedid
  • 879
  • 2
  • 10
  • 35

1 Answers1

2

If I understand the question correctly, you are trying to create a system that only allows authorised users to view certain files, and other users to view other files.

If my understanding is correct, then I would personally store the files above the root or in a secure location, and then have an access script (such as fetch_file.php) with a unique identifier in the URL (e.g. fetch_file.php?uid=1234).

If the user is authorised to access the file with the unique id of 1234; provide the file from the location details within the database, otherwise deny the request.

This way, the user can not access the file without the correct permissions, as it is stored securely above the root which should not be accessible from the internets.

David
  • 2,053
  • 2
  • 16
  • 26
  • Have you got output buffering enabled? That can cause memory issues as it won't output the data until the script says so, which means it stores it in RAM.However, if you haven't got it enabled, I'm assuming you're dishing out some big files? – David Sep 22 '12 at 23:30
  • I don't have currently a problem, but this will be a large project, where a lot of users access at the same time this files. I solved this problem with a nginx module: http://wiki.nginx.org/XSendfile Reference: http://stackoverflow.com/a/6528407/514013 – brokedid Sep 23 '12 at 00:37
  • Ah okay. In fairness also, if you are aiming at this becoming a large project with a lot of users, you should also be looking at better hosting solutions that offer more RAM etc, possible even ones with boostable peaks (Where it will auto boost resources if it needs it). Glad you solved your issue anyhow. – David Sep 23 '12 at 09:26
  • Thanks for the tip, but the system is currently in development and I'm looking to reduce the ressources to a minimum. Combining the X-Sendfile and the autoscale Hosting Solution is perfect. – brokedid Nov 04 '12 at 16:36