如何在不暴露物理路径的情况下在线提供可下载文件？

I'm serving up documents that require the user to register before download. Currently, once you register and login, the links to the documents are displayed as:

我正在提供要求用户在下载前注册的文档。目前,一旦注册并登录,文档链接将显示为:

myurl.com/docs/mypdf.pdf

So the physical path to the document is exposed to anyone logged in. What is the best practice for keeping the physical path to the document hidden so registered users can't share direct links with unregistered users or post direct links to the documents elsewhere?

因此,文档的物理路径会向登录的任何人公开。保持文档的物理路径隐藏的最佳做法是什么,以便注册用户无法与未注册用户共享直接链接或在其他地方发布直接链接到文档?

EDIT: I was just looking for an idea that was language agnostic so I chose a few of my favorite languages for the tags. The actual implementation in this case is ASP classic. I'm currently using a download wrapper script that confirms the user is logged in before redirecting to the actual document URL. I just didn't include it in my question for simplicity.

编辑:我只是在寻找与语言无关的想法,所以我选择了一些我最喜欢的语言作为标签。这种情况下的实际实现是ASP经典。我目前正在使用下载包装器脚本,确认用户在重定向到实际文档URL之前已登录。为简单起见,我只是没有把它包含在我的问题中。

8 个解决方案

#1

Don't do that. Instead keep the files somewhere outside the document tree and then make them accessible using a script (eg, php, .Net, whatever)

不要那样做。而是将文件保存在文档树之外的某个位置,然后使用脚本(例如,php,.Net,等等)使它们可访问

The script can check if they are logged in, validate if they are allowed the file, and if so return it. The path they go to might look more like this... /download.php?file=mypdf.pdf

该脚本可以检查它们是否已登录,验证是否允许该文件,如果是,则返回该文件。他们去的路径看起来可能更像...... /download.php?file=mypdf.pdf

Something along the lines of...

有点......

<?php
if (IsUserLoggedIn())
    readfile('/secret/path/to/file/mypdf.pdf');
?>

#2

The best way is to read the file up from a non-web accessible path and write it to the output stream.

最好的方法是从非Web可访问路径读取文件并将其写入输出流。

This seemed to show an OK example in php which you seemed to be using? Just add security check to top of php and kick them out if they are not authorized.

这似乎在php中显示了一个好的例子,你似乎正在使用它?只需将安全检查添加到php的顶部,如果未经授权,请将其踢出。

http://www.higherpass.com/php/Tutorials/File-Download-Security/

#3

the best way to do that is to use a php/asp or serverside scripting file that reads the document a location that isnt available to the outside

最好的方法是使用php / asp或serverside脚本文件,将文档读取到外部不可用的位置

that file then can check if the user is logged in and it can also hide the path to the physical file

然后该文件可以检查用户是否已登录,并且还可以隐藏物理文件的路径

so the url would be www.yourwebsite.com/file.php?file=image.png

所以网址是www.yourwebsite.com/file.php?file=image.png

file.php would verify that the user is logged in then it would read the file or redirect them to the login page

file.php将验证用户是否已登录,然后它将读取文件或将其重定向到登录页面

#4

What you want to do is create a PHP page that does two things:

你想要做的是创建一个PHP页面,它做两件事:

authenticate the user that is making the request

验证发出请求的用户

stream the file to the client

将文件传输到客户端

This link will help with streams. And this code may be helpful:

此链接将有助于流。这段代码可能会有所帮助:

header("Content-Disposition: attachment; filename=$name of pdf that you want to download");
header("Content-Type: application/pdf");
header("Content-Length: ".filesize("$location of pdf/$name of pdf that you want to download"));
header("Pragma: no-cache");
header("Expires: 0");
$fp=fopen("$location of pdf/$name of pdf that you want to download","r");
print fread($fp,filesize("$location of pdf/$name of pdf that you want to download"));
fclose($fp);
exit();

Saw this in a discussion here.

在这里的讨论中看到了这一点。

#5

I had a similar problem many moons ago in classic ASP.

我在经典ASP中遇到过类似的问题。

Kept files in a directory outside of the webroot.

将文件保存在webroot之外的目录中。

Upon verification, sent the file via ADODB.Stream, and then checked the file extension to make sure i had the proper mime-type set.

验证后,通过ADODB.Stream发送文件,然后检查文件扩展名以确保我有正确的mime类型集。

#6

It's not clear if you're using ASP.NET, ASP.NET MVC or something else. However, this post...

目前尚不清楚你是使用ASP.NET,ASP.NET MVC还是其他东西。不过,这篇帖子......

How can I present a file for download from an MVC controller?

如何从MVC控制器提供要下载的文件?

... shows how to programatically return a file to the user using ASP.NET (the question shows the ASP.NET way, the answers show the MVC way).

...显示如何使用ASP.NET以编程方式将文件返回给用户(问题显示ASP.NET方式,答案显示MVC方式)。

THis would allow the physical files to be in a folder not otherwise accessible to the user, and would allow you to add validation prior to returning the document to ensure that the user was registered etc.

这将允许物理文件位于用户无法访问的文件夹中,并允许您在返回文档之前添加验证以确保用户已注册等。

If you're at a stage in your development where it's not too late to use ASP.NET MVC then do so. This scenario (serving up a file) becomes a one-liner, and so many other things will be easier (in particular, the testing of your app).

如果您正处于开发阶段,那么使用ASP.NET MVC还为时不晚。这种情况(提供文件)变成一个单行,而且许多其他事情将变得更容易(特别是,您的应用程序的测试)。

#7

You could use a IHttpHandler in .net, although you need wildcard access in IIS. You could use a session based handler.

您可以在.net中使用IHttpHandler,尽管您需要在IIS中使用通配符访问。您可以使用基于会话的处理程序。

#8

Use a script for access control

使用脚本进行访问控制

Make a script like myurl.com/file.php?docs/mypdf.pdf which checks that the user has rights to access the file. The script will fetch the file from a place that is not visible to the web.

制作类似myurl.com/file.php?docs/mypdf.pdf的脚本,检查用户是否有权访问该文件。该脚本将从Web不可见的位置获取文件。
(Optional) Use mod_rewrite to make your urls look nice, and redirect user to the file.php script. Something like:

(可选)使用mod_rewrite使您的网址看起来不错,并将用户重定向到file.php脚本。就像是:

RewriteCond docs/%{REQUEST_FILENAME} !-f

RewriteCond docs /%{REQUEST_FILENAME}!-f

RewriteRule ^(.*)$ file.php/$1 [QSA,L]

RewriteRule ^(。*)$ file.php / $ 1 [QSA,L]

This will redirect /docs/mypdf.pdf to /file.php?docs/mypdf.pdf but look nicer for the user.

这会将/docs/mypdf.pdf重定向到/file.php?docs/mypdf.pdf,但对用户来说看起来更好。

#1