I have a PHP application to check the users access(user/pass) and if the access is true, serve them the file for downloading by sending nginx's X-Accel-Redirect header to user.
The problem shows up when a user can share his login information(user/pass) with other people; so everyone have the login information can access the files and download them. I continue describing my problem by an example.
For example,
think we have two peoples who sharing their login access. so they both using a same User/Pass to loging in. let's call them "User_1" and "User_2".
User_1 loging in and start to download the file. at the same time, User_2 trying to loging in too. here, my php application noticed about the second login try.
I have their (ip address, user-agent, session_id) and I also can find out which file is already downloading by User_1.
When the User_2 trying to login, I will delete the User_1's session in php/mysql and if User_1 wants to download again, he have to re-login. I can even simply suspend this account(User/Pass), so no one can use it again!
But the problem is that X-Accel-Redirect already sent to User_1 for his previous login and download keeps continuing even if I delete the php sessions and force to loging out User_1!
So, I need a way to terminate User_1's alive download connection.
so, make it impossible to more than one download from the same user/pass at a same time.
Related
I'm currently working on adding a login system to an old website. Unfortunately, I'm new to web developments and can not find answers for the following questions:
1. How can I check if a user is logged in or not before serving his http requests. I do understand that in pho we just add session_start() follow by some checking statements. But the website I'm working on is really big and can would be tedious to add session check statement in every page. so is there a way to check if a user is logged in before serving his/her request?
The server is using nginx and the website is using php.
Thanks
There are different user for my website, and for each user there are separate PDF files, I want to give users privilege to download their files(but should not see the files of others users). Now I have created a login and I have the user-id in SESSION (I am using PHP for backend). So what is the secure way of accomplishing this task? Also how should I manage many of these PDFs on my server? (currently I have kept all the PDFs in one folder, but this seems insecure and I think these can easily be extracted by the un-authenticated user)
At a high level:
Store your PDFs outside of your webserver document root. Make them completely inaccessible to direct browser access.
Write a PHP script to handle download requests. This PHP page can check the session user ID to ensure the user is requesting a file that they are allowed to access.
Use header() calls and readfile() to then send the appropriate PDF file to the user.
Feel free to come back and post a question when you've researched and worked on this, and have a specific question with code.
I am creating a plugin in my website, where logged in users can view their emails. The Email Server I am developing against is Zimbra. So far, I have been able to successfully fetch and display user emails using PHP's imap_open function:
imap_open($server, $email, $password)
When a user clicks on an email link on the website, the user is navigated to the zimbra web client. However, the users will have to reenter their log-in credentials once more. I have checked my browser's cookie information, and have noticed that Zimbra sets a cookie, ZM_AUTH_TOKEN, when a user is logged in: I believe Zimbra uses this cookie to detect if a user is already logged in. In essence, my task is to eliminate this extra step of re-logging in; if there are open-source solutions, I would like to know about these as well.
You can check the official documentation here:
http://wiki.zimbra.com/index.php?title=Preauth
This is half of a solution -- sorry I've never programmed with Zimbra, but I've implemented single sign-on across php projects several times.
Is your domain and the domain of the zimbra webserver the same? If they are you can see and manipulate each other's cookies. Try to find the zimbra code that handles the login and sets a cookie. Then write a little web service web page and put it on the zimbra server that calls that code and returns the cookie token. Your website can then do a curl behind the scenes over to zimbra when a user logs in, get the token contents for the cookie and then set the appropriate cookie so they are logged into Zimbra. I secure the web service web page with a password that only my plugin website knows.
If they are not the same domain you can still do it. But instead of doing this through curl on the server you'll have to use frames or JavaScript on the client. Also a simple password to secure the login web service will not work since it is being accessed by the browser and everyone can see the password. You'll have to make the password more secure like hashing their email address (assuming it is the same on both servers) with a predefined secret.
I have very specific problem.
I have web based application which set cookie after login. The same login details are used in desktop application which is connected to the web interface.
My idea was is it possible that when the user logins first in web app and it set cookie for him, then he downloads the application, install it on his PC and start it for first time somehow to get the user and password and auto fill the login fields in desktop application, so it won't be necessary to write them second time.
One of the ways is to save the login and password in a plaintext in cookie, which is very risky and then the desktop app gets this cookie from the browser (the app is written in c++).
I really don't have any clear idea at the moment how this could be done, but if there is a way I will be happy to red any of your suggestions.
The main issue I see is actually getting to the cookie. I can't see how you'd do that reliably with all the OSes / OS versions, browsers / browser versions out there. You could maybe include an encrypted resource file in the download containing the credentials. You can put that into the downloaded archive on the server side.
Is downloading without a login really not an option?
Edit: including a one-use token in the download, using which the client can fetch the username and password (via SSL, encrypted, somehow safe) looks like a good bet.
I am creating a PHP script for my website that would allow my clients to login to their client account and view a list of files I've uploaded for them. Then they can download them without having to relogin or re enter a password.
I want to keep it secure so anyone cant come in and download the files if they know the clients name.
I've tried .htacccess, protecting the folders, etc.. but it doesnt seem to work. I've written the client login script thatl ets them login and view a list of files in their directory but I can't have them right click to download it without having them login.
Something similar can be seen here:
http://forums.cgsociety.org/showthread.php?f=76&t=808482
In the 2nd post, if you try to click delete.jpg it won't let you download it without logging in. I want this similar feature for my site.
The site is created in PHP, with a MySQL database.
The folder itself should have security permissions set that regular users do not have access to it, only whatever user runs the PHP process.
Your PHP scripts act as a passthrough for the actual file system. The users don't have permissions to see a list of files, but your scripts do. The users don't have permissions to access a file, but your scripts do so you can open them as binary files and write the data out to be sent to the user.
Do some research into PHP File Downloaders, this is fairly standard behaviour.
You could use cookies to signify that the user has been there before, and been authenticated. Make the value of the cookie be fairly random, so it can't be guessed. I would encrypt the username . timestamp and store that with the username, so username_token and that way you can time people out and force them to login, if you want, later.
Then, move the files out of the webapp directory, and have a cgi program that will show the files in the directory, and allow them to download them.
This way you can control what people see, and what actions are allowed.