Hi there, I hope that someone might have an idea or suggestion to help me here.
I have a web application running on Linux in Apache 2, php5. The application manages a media database that is accessed by subscription. The content is served off separate Apache servers - some are located in different geographic regions. All users access the content by common URL, such as http://www.maindomain.com/123/file.avi I use .htaccess with mod_rewrite to modify the incoming URL to a PHP script such as http://www.maindomain.com/getfile.php?user=123 <http://www.maindomain.com/getfile.php?user=123&file=file.avi> &file=file.avi This works great and the PHP script is called, logs the request, checks the user's subscription rights, and if ok redirects them to the actual file to obtain by way of a Header() command (ie. Modifies the HTTP header to do a Location: .. To where the file actually resides). Although this works perfectly, the problem is that the user's browser will change to reflect the endpoint URL where the file actually resides. Users then simply have been cutting & pasting this URL into their own websites and providing unaudited access to the raw file directly and bypassing our script. I need to find a way to do this without displaying the endpoint URL to the user in anyway. But it has to be able to be done through a PHP script. Clearly Header() in PHP isn't cutting it. I also have to use Apache at each endpoint web server location. I'm wondering if anyone has a suggestion on how best to do this? Can I install something in .htaccess on the endpoint server end to reject incoming requests that are not via authenticated redirects? Can I use the HTTP_REFERRER in some way to ensure that what has come to this server came by way of a legitimate referral? All ideas are greatly appreciated. Thanks Myles
