How to Password Protect Files (Images, Video, Zip) Dynamically from Public and Allow Access to Members Only

How to password protect files (images, video, zip) dynamically from public and allow access to members only?

You would usually redirect any requests for the media files to a PHP script. The PHP script does the login authentication, and on success, loads the requested media file from a protected location, and passes it through to the browser, for example using fpassthru() or fread().

You can set up a very elegant solution using a set of mod_rewrite instructions, for example rewriting

www.example.com/media/music.mp3

internally to

www.example.com/media/index.php?file=music.mp3

the method is not cheap, as the PHP interpreter has to be started for every download, and pass through every byte of the file. For a discussion of possible alternatives, I asked a question about that a few months back: Performance-oriented way to protect files on PHP level?

How do you normally protect premium section of your website?

You should just not store the MP3 files in a location accessible from the outside. Instead, the link you give to the user should be a link to a page (PHP or anything) which will

verify that the user has the right to access the resource
stream the asked resource to the user

Something like

download.php?mp3FileId=5435

The download.php will check if the user is authenticated and has paid for the file 5435, then read this file from a protected resource, and stream it to the HTTP response, with the appropriate content type set.

Performance-oriented way to protect files on PHP level?

EDIT: How about a hybrid for the administrative interface? In the ACP you could access via the PHP method to, basically, send all file requests to the PHP authing file, but for public, you can use HTTP AUTH/htaccess to determine the availability of the result. this gives you the performance on the public side, but the protection on the ACP side.

OLD MESSAGE:

.htaccess is compatible with most Apache and IIS<7 environments (using various ISAPI modules) when using mod_rewrite type operations. The only exception is IIS7 + the new Rewrite module which uses the web.config file. HOWEVER, I'd be willing to be that you could efficiently generate/alter the web.config file for this instance instead of using .htaccess.

Given that, you could set up redirects using the rewrite method and redirect to your custom 404 Page (that hopefully sends the proper 404 header). It is not 100% appropriate because the actual asset should be the one giving a 403 header, but... it works.

This is the route I would go unless you want to properly create HTTP AUTH setups for every server platform. Plus, if you do it right, you could make your system extendable to allow other types in the future by you or your users (including a php based option if they wanted to do it).

How to prevent users from accessing files on server?

You can move the images into a folder out side the public directory and then stream them in via PHP to the users who are allowed to view them. By using the method detailed in the PHP header() manual for a very basic output (see Example 1).

Otherwise you could put a .htaccess file in the folder containing:

deny from all

if you are running Apache, but you still need to stream it out through PHP.

How to use Apache/PHP to protect directories from users that aren't logged in

Yes there is an apache module you can use for authentication: mod_auth.

It supports multiple backends, so you can make your application share the credentials with it.

Apache itself is extendible at authentication as well, there are other modules that support a mysql database which is called mod_auth_mysql of which multiple variants exist. A better choice might be mod_authn_dbd for Apache 2.2 as it offers a generic interface to SQL databases of multiple flavors. As well, ldap is supported: mod_authnz_ldap.

Another alternative is using you PHP for authentication and then commanding the server to provide the file. That's often referred as X-Sendfile or mod_xsendfile, which is a third-party module.

If you're looking for a PHP only solution, one question that talks about it is How to password protect files (images, video, zip) dynamically from public and allow access to members only?.

Access html files / video files outside htdocs folder

You would use readfile to access the file and the header function to forge the content. Make sure the www-data user, which is the Apache user and PHP uses it to access the filsystem, has permission on that folder.

header('Content-type: video/avi');
header('Content-Disposition: attachment; filename="videodownload.avi"');
readfile('/var/videos/myvideo.avi');

Refused to execute script, strict MIME type checking is enabled?

You have a <script> element that is trying to load some external JavaScript.

The URL you have given it points to a JSON file and not a JavaScript program.

The server is correctly reporting that it is JSON so the browser is aborting with that error message instead of trying to execute the JSON as JavaScript (which would throw an error).

Odds are that the underlying reason for this is that you are trying to make an Ajax request, have hit a cross origin error and have tried to fix it by telling jQuery that you are using JSONP. This only works if the URL provides JSONP (which is a different subset of JavaScript), which this one doesn't.

The same URL with the additional query string parameter callback=the_name_of_your_callback_function does return JavaScript though.

How to Password Protect Files (Images, Video, Zip) Dynamically from Public and Allow Access to Members Only