0

I'm doing a website where people can upload files. Files can be in public access, or private access. To avoid encoding problem, I store files with a random name in an "hidden" directory. However, the public folder can be accessed directly if we know the url. (That's not a problem).

My public part is OK, my php script give the user an url looking like that:
http://example.com/d/1/524dd711c3102/b1bi.png

And apache control the access with :

RewriteRule ^d/(\d+)/([a-zA-Z0-9]+)/(.+)$  ./files/public/$1/$2 [L]

So far, it's all good.

But now, the tricky part is with the private files. I need that only the user who uploaded the file can access the file. And I want to avoid PHP-based solution with some readfile or file_get_contents or things like this.

In fact, I would imagine something like :

The user try to access ./files/private/< folder_id>/< file_id> and Apache "ask" a PHP file if it's OK or not.

And the problem is, I'm don't think it's possible.

So :

  1. Is it possible? if so, how?
  2. Can you think to a better solution? (I thought to use the standard Apache/http authentication but it would be tricky to restrict access per users.

(I could also use XSendFile, but I want the user to be able to read/watch the file on the website without downloading it (For a picture for example))

Thanks :)

Koryonik
  • 2,728
  • 3
  • 22
  • 27
Tiller
  • 436
  • 1
  • 4
  • 22
  • I don't think you can make Apache "ask" php if a user is allowed to access a file. – TheWolf Oct 03 '13 at 21:48
  • How do you authenticate your users? – Étienne Miret Oct 03 '13 at 21:50
  • 2
    the php you said you want to avoid, is the approach you should be taking. why do you want to avoid it ? –  Oct 03 '13 at 21:50
  • @EtienneMiret: "Basic" PHP authentication. Login form looking into a DB – Tiller Oct 03 '13 at 21:52
  • @Dagon: Because it's slow & heavy. – Tiller Oct 03 '13 at 21:53
  • Slower than? heaver than ? –  Oct 03 '13 at 21:57
  • Than apache giving the file by itself. http://stackoverflow.com/questions/6627952/why-does-readfile-exhaust-php-memory – Tiller Oct 03 '13 at 22:35
  • but you require user authentication so its not an option –  Oct 03 '13 at 23:37
  • You can't have Apache asking for permissions from PHP. PHP is a child process of Apache, not vice-versa. If you have user authentication required and you want to securely deliver files to authenticated user - you *have* to use PHP to read the file. The debate whether Apache is faster in doing it or not is irrelevant. The very premise of your task dictates what you have to do. If you're worried about performance, you're optimizing prematurely. Find a solution that works and then optimize it later when the need occurs. If you don't want to do any of that, good luck with this task. – N.B. Oct 04 '13 at 08:38

2 Answers2

2

There is RewriteMap in mod_rewrite, which can use an external data source to provide some rewrite rules/mappings. Performance is likely to be pretty atrocious, however.

Check: http://httpd.apache.org/docs/current/rewrite/rewritemap.html#prg

Marc B
  • 356,200
  • 43
  • 426
  • 500
1

You can use fread() and read/send chunks of 1kb to the browser in combination with the garbage colletor (http://php.net/gc), this shouldn't be a problem at all in memory.

With fread() you only save a position in the file and a segment of the file.

This will be only a very little smaller than Apache, but you have full access control which is worth all the circumstances.

Other websites save big data in BLOBS into a database and you won't even notice.

Daniel W.
  • 31,164
  • 13
  • 93
  • 151