Download tokens can only be used by a specific IP

[pilot830]

If I go to http://fhscript.com and load a video, i can copy and paste the download link for the video, w/ the download token in the URL, and paste that URL to anyone.. and then anyone can download the file from that link

Can you please make it so that if i generate a download token, and give the download link to someone, they cant use that link, it wont work.. because their IP is not my IP.. they would have to visit the shorturl and get a download link of THEIR OWN

 

[gabrieldiazbernal4711]

+1

 

[enricodias4654]

In the download function in /core/includes/file.class.php you can check if the $_SERVER['REMOTE_ADDR'] is equal to $tokenData['ip_address'].

Note that user's ips are likely to change. An user could start downloading a file, pause it and restart the download in the next day with another ip. They could also add a list of links in a download manager to download them 1 by 1 over a long period. You should at least allow users to resume downloads from a different ip.

 

[adam]

That's the reason why we took the IP restriction out, IPs may change. Also, Google Docs (for the document viewer plugin) comes from their own IP, so it breaks that plugin. I left the old code commented out in file.class.php if you want to have a test.

 

[pilot830]

That's the reason why we took the IP restriction out, IPs may change. Also, Google Docs (for the document viewer plugin) comes from their own IP, so it breaks that plugin. I left the old code commented out in file.class.php if you want to have a test.

Do you have any suggestions as to what we can do for a scenario where a premium user copies and pastes their download token URL to a bunch of people?

How about detecting their session or cookie? So that some outsider cant just use the download url token ?? wouldn't taht work?

 

[enricodias4654]

There are no safe ways to prevent this. But you can save the ips that download the files and easily search for this behavior in the logs. The best way to prevent users from sharing links is blocking their accounts when they do.

 

[adam]

How about detecting their session or cookie?

Not with download managers and it doesn't work with xAccelRedirect either.