Home/ Questions/Q 846155
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-15T06:34:09+00:00

I have a php file that acts as a gatekeeper for all the files

  • 0

I have a php file that acts as a gatekeeper for all the files I want people to download, who ahve sufficient privilages.

The code I use throw the file to the user is

header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header("Content-disposition: attachment; filename=\"".$public_filename."\""); 
header("Content-Transfer-Encoding: Binary"); 
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
header("Content-length: ".$f_filesize); 
readfile($file_path);

Most files are fairly large…. 400mb-10GB.

What would be a good way to do this, and keep the true locations + filenames secret, so people cant just link to the files directly, but HAVE to link thru my download.php?file=ID gatekeeper?

Thanks

EDIT: Im not asking how to do user authentication, all that is done. Im just asking if my way of doing it, is a good idea on a large scale. Seems like it could cause memory problems if I keep reading 10GB files.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Ok, having php send files of around 400Mb–10Gb is not good. You need to somehow let whatever webserver you’re using actually serve the files.

    This really comes down to how secure you need it to be. The easiest solution that comes to mind (but far from the most secure) is using symbolic links with long random names that link to the original file. After a certain time the symbolic links expire and are removed. Each user get their own symbolic link (or “token”) to the file they’re downloading. I’m not sure how this plays out in Windows-environment, but on unix it’s fairly straightforward anyway.

    Here’s some pseudo code:

    if($user->isAllowedToDownload($file)){
    $token = md5($user->name . $file->name . time() . $someGoodRandomValue);
    symlink($file, $download_path . $token);
    header("Location: $download_url$token"); 
}

    Then you need a cron job that cleans out old symbolic links. You also need to make sure the webserver is set to follow symbolic links, preferably only for that folder where these download tokens are created.

    So when the user maybe requests domain.com/download?file=bigfile.mp4 a symbolic link is created in the webservers public space that points to the real file outside the webservers public space. The user gets redirected to maybe domain.com/getFile/ab739babec890103bdbca72 which in turn causes the webserver to serve the file. Now it’s very hard for users to try and guess what an URL is for a file, and that’s the “security”.

    • 0