douren4075
2016-05-26 22:02
浏览 258
已采纳

防止在php中直接下载zip文件[关闭]

i want to protect direct download (copy/paste link)on my website. I am sending the download link in email, link is like it is currently accessible on direct link entry ,but i want it to work only when email link is clicked and I know this can be done by checking the session variables but problem is that i do not have any login modules.

图片转代码服务由CSDN问答提供 功能建议

我想保护我网站上的直接下载(复制/粘贴链接)。 我发送下载链接 在电子邮件中,链接就像它目前可以通过直接链接输入访问,但我希望它只在单击电子邮件链接时才能工作,我知道这可以通过检查会话变量来完成,但问题是我没有任何登录模块 。

  • 写回答
  • 好问题 提建议
  • 关注问题
  • 收藏
  • 邀请回答

2条回答 默认 最新

  • donglu2761 2016-05-26 23:08
    已采纳

    You could create a special access token based on the client's IP if they have to download it within the same session.

    e.g.

    $downloadKey = md5($filename . '_' . $_SERVER['REMOTE_ADDR']);
    $_SESSION[$downloadKey] = $downloadKey;
    //  Include download link with key=$downloadKey
    

    Then the PHP code that handles the download of the ZIP can re-hash the client IP and filename requested to see if it matches the session value. If they match then the download can proceed.

    $request = md5($requestedFilename . '_' . $_SERVER['REMOTE_ADDR']);
    if (isset($_SESSION[$request]) && file_exists($requestedFilename)) { 
    {
       // stream file
       unset($_SESSION[$request]);
    }
    else {
       // 401 unauthorized
    }
    

    This is assuming the zip file is not visible from the web already and that you are opening and streaming it from a PHP script.

    已采纳该答案
    评论
    解决 无用
    打赏 举报
  • dtio35880438 2016-05-26 22:43

    You don't need any "login modules" if you have emails/filenames (how you got these emails is another question)

    simple: create unique link to (for example) https://example.com/download.php?file=ENCRYPTED_EMAIL_FILE_NAME for each email address+file name, send link.

    download.php script decrypts clicked $_GET['file'], and sends it to browser with correct header. If decryption fails, show 404, log hack attempt or something like this.

    If you don't have emails, well, maybe you should learn something about CMS/frameworks/databases/etc.

    评论
    解决 无用
    打赏 举报

相关推荐 更多相似问题