>  
>  I'm designing a controlled access system in PHP, and it's coming along
>  quite well.  It's very simple, and just sets a session varibale, such as
>  $_SESSION['authenticated'] = 1, not a whole lot.
>  
>  Now I run a small sniplet of code on the top of each HTML and PHP file,
>  which checks for this variable, and either allows or denys access to the
>  page.
>  
>  However, how do people protect against the downloading of real files,
>  ones which are not parsed by PHP?  .WMV, .MOV, .ZIP, .EXE and so on?  I
>  want to protect access to these as well, and if a visitor just types in
>  a URL and is able to access the file because my access control mechanism
>  simply doesn't work on those types of files, what should be the solution
>  here?
>  
>  It's been suggested to use readfile() to accomplish this, by forwarding
>  content from outside of the document root - but this just sounds odd.
>  On top of being (what I think would be) incredibly slow, it just doesn't
>  sound "right".
>  

I had a similar issue.  I ended up using a .htaccess so that you could 
not open the file directly.  If checked for the referrer.  This is not 
the most secure way to do it.  I know it can be spoofed.

IndexIgnore *
SetEnvIfNoCase Referer "^http://example.com/viewer.php" local_ref=1
Order Allow,Deny
Allow from env=local_ref

Jason Motes
php at imotes.com

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php