About Me

My name is János Rusiczki and I earn a living by working as a senior web developer / server maintenance consultant.

Read more about me.
Mail janos at this domain

Blog Archives

• December 2008
• November 2008
• October 2008
• September 2008
• July 2008
• June 2008
• May 2008
• April 2008
• March 2008
• February 2008
• Main Archive Index

Latest Flickr Photos

Sites / Blogs

• Grafic
• Link7 Blog
• Kit.blog
• Squidfingers
• Weblog Wannabe

It's a cruel world ($$$)

• RC Helicopter Wiki
• Wood Profit
• Metal News
• Turism Maramures
• Expat Club Romania

Some Buttons

PHP protected file downloads for your site's members

Hey, look! I just made a Google friendly entry title... And I did it because I want people to learn from the mistakes I made.

Suppose you have a website and you want to have some downloads available only to the members. Maybe you'll manually approve each member to protect your bandwidth and so on... What do you do? You'll most likely set up a members system in PHP (or integrate your downloads page with your exisiting members system) and then you'll write a script to check if the user is authenticated and / or has download rights and if yes pass him the file via the script. You do this "via the script" passing instead of a header redirect to the real location of the file because advanced users could note the real location of the file thus circumventing the protection.

If you have big files to protect (relative to your server's memory) don't make the same mistake I did. Do not use any PHP function that loads the file into the memory and than passes it on to the user. You'll expose the server your pages are hosted on to unwanted DoS (Denial of Service) risks. My client had some nice guy coming through an open proxy from Cambodia who hammered the server with 5 to 10 requests per second for software-download.php?id=435. What happened was that PHP tried to load 10 * 85 megs per second and I'll let you do the math and figure out how much it took it to run out of memory... I caught the bastard by activating Apache's mod_status module and watched what was happening in real time.

I'm still thinking about an easy solution for this problem, except splitting up the huge files with RAR or banning more than 1 connection from one user in an X minute interval which creates some database overhead.

You could also use cookies or server side tracking of IP's to make sure nobody downloads more than X files at once. Some kind of semaphore with X slots.

What's wrong with http authentication?

http://httpd.apache.org/docs/howto/auth.html#basic

How does the entire file ends up in memory?
I did, about 4 years ago, a PHP script that would check credentials and then read from the file and write to the user, copy&paste via a small buffer. Why load the entire file in memory?

Use readfile ( http://ro.php.net/manual/en/function.readfile.php )... or any of the other alternatives listed on that page.

P.S. You need to set the buffer/chuck size or just rought it out with fopen and friends.