由网友(终是深情被辜负)分享简介：我工作的一个网站，允许用户购买数字内容，并已实施了尝试提供安全的下载方法。I'm working on a site that allows users to purchase digital content and have implemented a method that attempts to serve s...

我工作的一个网站，允许用户购买数字内容，并已实施了尝试提供安全的下载方法。

I'm working on a site that allows users to purchase digital content and have implemented a method that attempts to serve secure downloads.

我用codeIgniter强制下载这样的：

I'm using CodeIgniter to force downloads like this:

$file = file_get_contents($path);

force_download("my_file_name.zip", $file);

当然，我确保用户可以访问使用数据库服务于下载前的文件，但我不知道是否有一种方法，使这些文件更安全。

Of course, I make sure the user has access to the file using a database before serving the download, but I was wondering if there was a way to make these files more secure.

我使用的是一些8-10字母键创建文件路径，以便网址文件都不太容易弄清楚......像 http://mysite.com /as67Hgr/asdo0980/uth89.zip 代替 http://mysite.com/downloads/my_file.zip 。

I'm using a some 8-10 letter keys to create the file paths so urls to the files aren't exactly easy to figure out... something like http://mysite.com/as67Hgr/asdo0980/uth89.zip in lieu of http://mysite.com/downloads/my_file.zip.

另外，我使用的.htaccess否认目录浏览，像这样：选项全部-Indexes

Also, I'm using .htaccess to deny directory browsing like so: Options All -Indexes.

除此之外......我不知道采取什么步骤。我见过的文章使用的.htaccess提示用户名和密码的方法，但我不知道如何绕过会出现使用该方法的密码提示。

Other than that... I have no idea what steps to take. I've seen articles suggesting username and password methods using .htaccess, but I don't understand how to bypass the password prompt that would occur using that method.

我希望有可能是在那里我可以用头和卷曲（或类似的东西），但我不知道从哪里发送的用户名和密码组合的方法启动。

I was hoping there might be a method where I could send a username and password combination using headers and cUrl (or something similar), but I wouldn't know where to start.

任何帮助将是巨大的AP preciated。在此先感谢！

Any help would be hugely appreciated. Thanks in advance!

推荐答案

请它使Web服务器不提供任何情况下的文件，否则，所有的检查是pretty的实际意义。要做到这一点，最好的办法就是把他们的地方Web根目录之外。即：

Make it so the web server does not serve the files under any circumstances, otherwise all the checking is pretty moot. The best way to do that is to put them somewhere outside the webroot. I.e.:

/
  webroot/         <- root web directory, maybe named www or similar
    index.php      <- your app, served normally
    …other serve-able files…
  files/           <- not part of the serve-able webroot dir
    secret_file    <- web server has no access here

然后，如果访问这些目标的唯一途径是通过你的脚本，它作为你使你的脚本是作为安全的。

Then, if the only way to access them is through your script, it's as secure as you make your script.