如何让具有所需权限的用户通过php下载文件? [英] How to let users with required permission download a file via php?

问题描述

我有一个php文件，充当我希望人们下载的所有文件的网守，这些文件具有足够的特权.

I have a php file that acts as a gatekeeper for all the files I want people to download, who ahve sufficient privilages.

我使用的将文件扔给用户的代码是

The code I use throw the file to the user is

header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header("Content-disposition: attachment; filename=\"".$public_filename."\""); 
header("Content-Transfer-Encoding: Binary"); 
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
header("Content-length: ".$f_filesize); 
readfile($file_path);

大多数文件都相当大....400mb-10GB.

Most files are fairly large.... 400mb-10GB.

什么是做到这一点的好方法，并且将真实的位置+文件名保密，所以人们不能直接链接到文件，而必须通过我的download.php?file = ID Gatekeeper链接?

What would be a good way to do this, and keep the true locations + filenames secret, so people cant just link to the files directly, but HAVE to link thru my download.php?file=ID gatekeeper?

谢谢

林不问如何进行用户身份验证，所有这一切都已完成.我只是问我这样做的方式是否是一个大规模的好主意.如果我继续读取10GB的文件，可能会导致内存问题.

Im not asking how to do user authentication, all that is done. Im just asking if my way of doing it, is a good idea on a large scale. Seems like it could cause memory problems if I keep reading 10GB files.

推荐答案

好吧，让php发送大约400Mb–10Gb的文件不是很好.您需要以某种方式让您使用的任何Web服务器实际提供文件.

Ok, having php send files of around 400Mb–10Gb is not good. You need to somehow let whatever webserver you're using actually serve the files.

这实际上取决于您需要的安全性.我想到的最简单的解决方案(但远非最安全的解决方案)是使用具有长随机名称的符号链接来链接到原始文件.一定时间后，符号链接将过期并被删除.每个用户都有自己的符号链接(或令牌")到他们正在下载的文件.我不确定这在Windows环境中如何发挥作用，但在Unix上反正还是很简单的.

This really comes down to how secure you need it to be. The easiest solution that comes to mind (but far from the most secure) is using symbolic links with long random names that link to the original file. After a certain time the symbolic links expire and are removed. Each user get their own symbolic link (or "token") to the file they're downloading. I'm not sure how this plays out in Windows-environment, but on unix it's fairly straightforward anyway.

这是一些伪代码:

if($user->isAllowedToDownload($file)){
    $token = md5($user->name . $file->name . time() . $someGoodRandomValue);
    symlink($file, $download_path . $token);
    header("Location: $download_url$token"); 
}

然后，您需要执行cron作业，以清除旧的符号链接.您还需要确保将Web服务器设置为遵循符号链接，最好仅针对创建了这些下载令牌的文件夹.

Then you need a cron job that cleans out old symbolic links. You also need to make sure the webserver is set to follow symbolic links, preferably only for that folder where these download tokens are created.

因此，当用户可能要求domain.com/download?file=bigfile.mp4时，会在Web服务器公共空间中创建一个符号链接，该符号链接指向Web服务器公共空间之外的实际文件.用户可能被重定向到domain.com/getFile/ab739babec890103bdbca72，这反过来又导致Web服务器为文件提供服务.现在，用户很难尝试猜测文件的URL，这就是安全性".

So when the user maybe requests domain.com/download?file=bigfile.mp4 a symbolic link is created in the webservers public space that points to the real file outside the webservers public space. The user gets redirected to maybe domain.com/getFile/ab739babec890103bdbca72 which in turn causes the webserver to serve the file. Now it's very hard for users to try and guess what an URL is for a file, and that's the "security".

这篇关于如何让具有所需权限的用户通过php下载文件?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！