Secure files - Authenticated user download only

Question

how would one secure files on a web server? Id like them to be downloadable only by authenticated users How do i stop someone putting in the files URL and just downloading it without auth. lets say for instance - a user downloads the file - perhaps you have a controller that checks auth and streams them the file using this url: ie: site.com/controller/download/filename whats to stop people doing this with no auth directly: site.com/files/filename.ext

the direct link to the file essentially bypasses the whole web framework and just downloads the file.

perhaps im missing a fundamental here - but how to do this and keeps files private?

Thanks!

You create a proxy: `example.com?file=` and then if `` is associated to the user then allow access. — Script47, Sep 25 '19 at 11:14
This is a pretty broad question; you're best off doing your own research on secure user registration and login systems... there are many different ways and levels of sophistication to do this. Come back when you have a more specific question, a coding issue. — jibsteroos, Sep 25 '19 at 11:15

Abhishek kandari · Answer 1 · 2019-09-26T06:18:53.550

1

Make a download action for your files based on unique encrypted id like below. Each file should be entered in file table which saves data like file name, original name, uploaded by, uuid etc and based on this data you can apply restrictions to the download action. You should also define access rule for the download action if you want only logged in user to be able to download the file.

public function actionDownload($id) 
    { 
        $file = File::findOne(['uuid'=>$id]);
        if($file!=null)
        {
           $path = UPLOAD_BASE_PATH.'/'.$file->name;
           if (file_exists($path) && !is_dir($path)) {
            return Yii::$app->response->sendFile($path,$file->original_name);
           }
        }
        throw new NotFoundHttpException("File not found");
    }

edited Sep 26 '19 at 06:18

answered Sep 25 '19 at 12:52

Abhishek kandari

196
1
8

1

You should check if the `File::findOne` returns non empty value. Otherwise the next row will try to access property of null. – Michal Hynčica Sep 25 '19 at 14:42
@MichalHynčica Thanks for pointing it out, have updated the code. – Abhishek kandari Sep 26 '19 at 06:19

score 0 · Answer 2 · answered Sep 25 '19 at 14:56

If you don't want people allow to access files with direct link then you should save the files outside of the web root. In yii2 your web root is in /web folder and the folder should be set as web's document root. That will make server to point all request to it preventing any attempts to access files outside of /web folder directly. See apache docs for more info.

If you must have the folder in the place where it can be accessed directly you can use .htaccess to block any direct access to folder. How to do that is answered in this question: Deny access to one specific folder in .htaccess

Secure files - Authenticated user download only

2 Answers2