Hiding a link to binary file for download

Mark Musone mmusone at shatterit.com
Wed Aug 20 16:19:28 EDT 2003 

Not if that form requires either POST authentication information,
Or a session cookie set..

I'd need to know in more detail how you are doing the authentication..
Are you enabling some sort of sessions or is that script directly doing
the authentication and not passing the authentication information to
other pages..


If everything is really essentially just that one page you are doing
authentication for, the you probably want something like this:


Page 1: html form with input for username and password  --->> posts to
page2

Page 2: php page, reads in username,password from a form POST, does
authentication. If accepted, fopen file, and fpassthru


If the user is authenticating for and entire "system" or a set of pages,
then you'll need to establish a session and it'd be something like this:

Page 1: html form with input for username and password -->>posts to
page2

Page 2: php page, does authentication. If accepted, establish a session
(set a cookie with a session identifier, or set form variables with a
hidden field containing the session identifier, or simply use the remote
IP address as the session identifier   ---> display menu of items that
the now logged in person can choose --> goes to multiple different pages

Menu-Item Pages: read in session cookie, hidden session form variable,
or look up IP in a session database to authenticate   ---> do respective
function (fopen file, fpassthru file)


-Mark



-----Original Message-----
From: owner-nflug at nflug.org [mailto:owner-nflug at nflug.org] On Behalf Of
David Dudek
Sent: Wednesday, August 20, 2003 3:24 PM
To: nflug at nflug.org
Subject: RE: Hiding a link to binary file for download

Okay, but then won't they just bookmark that link and get the file while
bypassing the form?

-- 
David Thomas Dudek     http://www.buffalo.edu/~dudek/

On Wed, 20 Aug 2003, Mark Musone wrote:

> Date: Wed, 20 Aug 2003 14:33:00 -0400
> From: Mark Musone <mmusone at shatterit.com>
> Reply-To: nflug at nflug.org
> To: nflug at nflug.org
> Subject: RE: Hiding a link to binary file for download
>
> Umm...well, it's really whatever page you want it to be..
> Just put the php code in the page you want the person to think they
are
> downloading from..
>
>
>
> -----Original Message-----
> From: owner-nflug at nflug.org [mailto:owner-nflug at nflug.org] On Behalf
Of
> David Dudek
> Sent: Wednesday, August 20, 2003 1:33 PM
> To: nflug at nflug.org
> Subject: RE: Hiding a link to binary file for download
>
> Thanks!  Would this page be the same one that they arrive to AFTER
they
> fill out the form?
>
> --
> David Thomas Dudek     http://www.buffalo.edu/~dudek/
>
> On Wed, 20 Aug 2003, Mark Musone wrote:
>
> > Date: Wed, 20 Aug 2003 12:57:10 -0400
> > From: Mark Musone <mmusone at shatterit.com>
> > Reply-To: nflug at nflug.org
> > To: nflug at nflug.org
> > Subject: RE: Hiding a link to binary file for download
> >
> > This is a fairly common use of php.
> >
> > What you'll want to do is use a combination of fopen(), to open the
> > file,
> > And then fpassthru(), which outputs the file to the users browser..
> >
> > The user thinks they are accessing
http://www.domain.com/myscript.php
> >
> >
> > But in myscript.php, it has
> >
> > <?php
> >
> > $fp=fopen("myfile");
> > fpassthru($fp)
> > ?>
> >
> >
> > -----Original Message-----
> > From: owner-nflug at nflug.org [mailto:owner-nflug at nflug.org] On Behalf
> Of
> > David Dudek
> > Sent: Wednesday, August 20, 2003 11:13 AM
> > To: nflug at nflug.org
> > Subject: PHP: Hiding a link to binary file for download
> >
> > Here's a question for Mark or anyone else who cares to answer:
> >
> > I want to set up a webpage that will allow me to log who is
> downloading
> > certain binary files from a web site.  I intend to do this by having
a
> > page that a user has to authenticate to, in my case by DCE/Kerberos,
> so
> > that the $REMOTE_USER environment variable is assigned.  I know how
to
> > do
> > that part.  I might have the user then fill out a form for some
info.
> > But then (here's the part I don't know about) I want to redirect the
> > user
> > to the URL for a binary file download, but I don't want the user to
> see
> > the direct URL.  In other words, I don't want users to be able to
> bypass
> > my form to download the file.
> >
> > Any ideas?
> >
> > --
> > David Thomas Dudek     http://www.buffalo.edu/~dudek/
> >
> > ---
> > Incoming mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.510 / Virus Database: 307 - Release Date: 8/14/2003
> >
> >
> > ---
> > Outgoing mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.510 / Virus Database: 307 - Release Date: 8/14/2003
> >
> >
> >
> >
>
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.510 / Virus Database: 307 - Release Date: 8/14/2003
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.510 / Virus Database: 307 - Release Date: 8/14/2003
>
>
>
>

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.510 / Virus Database: 307 - Release Date: 8/14/2003
 

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.510 / Virus Database: 307 - Release Date: 8/14/2003

More information about the nflug mailing list