0

I have a PHP application to check the users access(user/pass) and if the access is true, serve them the file for downloading by sending nginx's X-Accel-Redirect header to user.

The problem shows up when a user can share his login information(user/pass) with other people; so everyone have the login information can access the files and download them. I continue describing my problem by an example.

For example, think we have two peoples who sharing their login access. so they both using a same User/Pass to loging in. let's call them "User_1" and "User_2".

User_1 loging in and start to download the file. at the same time, User_2 trying to loging in too. here, my php application noticed about the second login try. I have their (ip address, user-agent, session_id) and I also can find out which file is already downloading by User_1.

When the User_2 trying to login, I will delete the User_1's session in php/mysql and if User_1 wants to download again, he have to re-login. I can even simply suspend this account(User/Pass), so no one can use it again! But the problem is that X-Accel-Redirect already sent to User_1 for his previous login and download keeps continuing even if I delete the php sessions and force to loging out User_1!

So, I need a way to terminate User_1's alive download connection. so, make it impossible to more than one download from the same user/pass at a same time.

Cœur
  • 37,241
  • 25
  • 195
  • 267
Amir
  • 35
  • 1
  • 6
  • I cannot answer as to if you can block a file download that is already in progress [this](http://stackoverflow.com/questions/13958303/curl-download-progress-in-php) may give you an idea as to how to involve PHP in the download/upload progress though! Maybe instead of interrupting User_1 who validated first and already started download, you could prevent other users (User_2) from logging in to an account that is currently logged in? – Isaiah Mar 05 '17 at 07:09
  • @Isaiah , Well, consider that the files are in huge sizes (usually bigger than **40GB**). so, the download may take a long time because of the huge size of the files(5 days or more!). the user/pass only check once in PHP script before PHP send the X-Accel-redirect Header to client. so, after that, during the download time(5 days or more!), there is no way to use the PHP (to change the header, etc.). So, even if I block `user_2` from loging in, it's easy to cheat it. `User_1` can login and after download started, he can logout; after that `User_2` will be able to login and download the file. – Amir Mar 05 '17 at 11:47
  • @Isaiah , I think the only way to block the download from server-side, is blocking the User_1's IP address using PHP, just when `User_2` trying to login to the system; so `User_1`'s download will stop from the server-side and when `User_1` wants to resume it(or start it again) I can use PHP again to block the access(or maybe noticing `User_1` about the problem). so, how can I do this(blocking `User_1`'s IP in Nginx/linux) using PHP? – Amir Mar 05 '17 at 11:50
  • The link I first provided gives a great reference as to how to actually interrupt a file download that is in progress. The example only uses the logic to show a status bar but you could check a value in dB and interrupt the download accordingly. Also, for checking IP addresses I would refer to [this source](http://stackoverflow.com/questions/3003145/how-to-get-the-client-ip-address-in-php). – Isaiah Mar 05 '17 at 18:36
  • @Isaiah , I guess you have no idea about what "CURL" is and what's the difference between what I asked for and what you're presenting!!!! and also, I know how to get the user's IP address; as I mentioned in my question I already have the user's IP/user-agent in my DB. :-( in my two above comments I wrote the details about the problem and about what I need... – Amir Mar 05 '17 at 20:16
  • I suggested using an intermediate cURL request (rather than a direct link) to your script that handles header with `X-Accel-Redirect`, so that you have access to the download programmatically and incrementally. With this access you could potentially interrupt the download while it is in progress. If you know the IP that you wish to block simply redirect, `exit`, or `die()` based on this value [example](https://perishablepress.com/how-to-block-ip-addresses-with-php/). If you are looking for more than just PHP you could use [.htaccess](http://www.htaccess-guide.com/deny-visitors-by-ip-address/). – Isaiah Mar 05 '17 at 22:23
  • 1
    Try fail2ban (via iptables) - After you detected a "shared" connection, add an entry to log file, fail2ban can ban the IP address for X amount of time. – Tan Hong Tat Mar 06 '17 at 02:33

0 Answers0