Best way to download files if username and password correct

[Scotty123]

I'm writing a program (was C#, but doing C++ now) for someone, where a user enters username and password and then if correct, it should download some files.

The username and passwords are the username and passwords from a mysql database (ip boards in fact).

I was wondering what is the most secure way to do this in terms of not anyone being able to download the files. For example, I don't really want it in the program if the server responds username and password correct, it then uses a username/password to download from an ftp server, incase someone tries to get this from the program. I want the "path" to be through the program, not bypassed.

Essentially I want some sort of program that sits on the server, receives a request from a client, checks if they are in the DB, if they are, send the files over. I'd rather not write my own if possible, to save time. Maybe a program isn't needed, maybe there is an easier way. Not sure, why I am asking here. It seems like a common thing to do, although Google isn't returning much (maybe I am being rubbish!). Hope this makes sense. Thanks

 

[Scotty123]

The size of the files will be a few GB possibly, especially if a user is downloading a first time. In the future only necessary files will be updated.

I was going to send the password from client to server already hashed, since I thought sending raw passwords over the net is obviously bad practice?

The client program was originally going to be C#, but I was concerned could be too easy to reserve engineer. Sure you can do it to C++ as well, but it's harder I believe.

 

[Scotty123]

Oh yes, good point re your first sentence.

So think it would be better to do in C#? I switched to C++ (QT).

 

[Scotty123]

Nope, just Windows. Used a lot of QT though, I also know C#.

It's a launcher for a mod of a game. People are granted access to it by being put into a certain usergroup on the forums - as I said ipboards. Don't want any old Tom managing to download the files.

Launcher also has options for the startup of the game, website, teamspeak, news feed from RSS/xml.

 

[Scotty123]

There's no already made way for a ftp with a username and password from a mysql table? Would require a custom program?

 

[Scotty123]

The IP boards and webserver are on the same system, there will be multiple servers hosting the files, US and EU.

Yeah I agree they could pass them around, but still, it's a slight improvement if not just anyone can connect and download.

 

[Scotty123]

It's an Arma 3 mod if that makes it clearer .

 

[Scotty123]

Game loader - you mean launcher? If so, yes.

 

[Scotty123]

I've got everything set up and sending the files through php if authenticated etc. I am sending the data via chunks (best way apparently) from the php.

while (!feof($handle) && (connection_status() === CONNECTION_NORMAL))  
{ 
        $buffer = fread($handle, $chunksize); 
	print $buffer; 
	ob_flush(); 
	flush(); 
}

Chunksize is 8 MB.

The C# is (with 1mb buffersize)

byte[] downBuffer = new byte[iBufferSize];

while ((iByteSize = smRespStream.Read(downBuffer, 0, downBuffer.Length)) > 0)
{
                saveFileStream.Write(downBuffer, 0, iByteSize);
}

 saveFileStream.Close();
smRespStream.Close();

Files under 8MB are fine. Ones over however are not, as their md5 checksum is different. The total sum of iByteSize per iteration seems to add up to the file size (obtained from the header with ContentLength on the httpwebresponse). I've been googling and reading, but still not solved the problem. Comparing the binary of two files just over 8mb (10mb), even though they both say the same size, the downloaded one is shorter in terms of the number of lines of (mostly) gobbledygook. Does anyone have any suggestions?