Protected Files

Anon

Hi,
I have a couple of zip files that I want to protect of being downloaded from a link in another website, but they can be downloaded if the user previously entered his email address.
I created a folder protected by a Username/Password, and a php script that gets and test the email, and then sends the user to the zip files using:

header("Location: http://username:password@www.site.com/protectedfolder/zipfile.zip");
exit;

This method works perfectly with Opera and NS, but in IE it always show the Username/Password dialog box, and if you hit cancel it shows the full path, with login and password (in text, not *** 🙁 )

I am quite new in php and I'd like to know if there is another method to send the user to a password protected folder, but that the user never gets the username,password.

Or if you know another method I can use to do this... I asked the webhost provider and they said that this cannot be done (but I am quite near).

Thanks in advance for any help...

diego

[deleted]

Indeed, you cannot send a user to a password protected page without giving him the password. It is simply not possible.

What you can do it give him a temporary password, one that expires after X minutes.

For example:
You can make a PHP script that acts as a downloader. You give it a filename as a parameter (http://www.whatever.com/download.php?filename=bla) and it will send you the file asif you were requesting the file directly.
Put the file somewhere in a directory where the webserver cannot find it (outside the documentroot).
You can easily modify that script to also accept/require a password.

When a user enters his email, use some clever algorythm to create a password, and store that in a database (or flatfile if you feel lucky) along with the time that the password was issued.
Then print the link to the download script, along with the password.

When the download script starts, make it so that is checks the password against the database, to see if it was issued more than X minutes ago. If it was issued more than 30 minutes ago, ask for the email again. If it wasn't, download the file.

This way people cannot link to the file without first entering their email, so linking from another website is useless.