symfony framework forum

[JayR]

Hi,

I'm wondering if there is a best practice for providing a secure way to download files without exposing the webservers directory structure.
It seems that there is no symfony plugin specialized to this functionality.
On the other side I just found lots of articles "guessing" some php snippets, but no real professional and reliable information.

These examples vary from using X-Sendfile or X-LIGHTTPD-send-file Header, or even printing the file data directly with readfile() or print(fread(...)).
For me it seems that using the X-Sendfile or X-LIGHTTPD-send-file Header is the easiest way of providing a secure download.
But anyway, I have no experience with this kind of download...

Can you tell me what and how you do secure downloads. What are the pros and cons?
Maybe you know an article providing some good information about these kinds of downloads.

Thanx in advance!
Best,
Jan

[JayR]

Just to answer my own question...
Please correct me if I'm wrong!

It seems that the file download with readfile() is the default way or the method that should always work. (http://php.net/manual/de/function.readfile.php)
The X-Sendfile or X-LIGHTTPD-send-file headers are specialized to delegate the downloading process to the webserver.

The biggest disadvantage of the readfile() seem to be large files. You have to deal with php time limits and heavy system loads...
I haven't found some disadvantages using the X-Sendfile or X-LIGHTTPD-send-file headers.

So the best practice would be using the specialized headers instead of readfile() if the webserver was configured to allow them, right?

[yandos]

I've had issues using X-Sendfile to deliver video to iOS devices, it seems to stop the stream and is flaky at best. Another solution which doesn't rely on your own server setup is to use S3 or similar to host the files. You can generate a one-time/limited-time access key to your files and then let the user download/stream etc how they wish.