Protecting PDF Files

nbrewer

I have several PDF files located in the directory '/pdf' and would like them protected from prying eyes. Currently, if someone hits my site, my script redirects them to a login page. After logging in, a session variable is set and they can browse the site at will and download any offered PDF files (or any other downloadable files). The problem is, let's say the user downloads a PDF, saves it to floopy and erases the file from the hard drive. The next person to use that computer can look through the browser history, find the URL for any of the PDF's, and download it since PHP doesn't do any checking in that case. So, how do I protect my PDF files? It seems I would need .htaccess to somehow check my PHP session variable, but that's impossible. How are you guys protecting your files from being downloaded?
Thanks!

amcgrath

Umm, kill the session at some time? (This problem, however, is possible for damn near every other system like this, yahoo mail for example.....)

nbrewer

I'm not talking about killing the session. I'm actually assuming the user closes the browser, thus closing the session. But the next person to come to that terminal can look at the history and see "http://www.website.com/pdf/file.pdf" in the history. After punching in that URL, they could download the file since php is never invoked. Make sense?

Anon

If your server is an NT Server: Download "iisprotect" to protect your PDF.

If your server is Linux, use htaccess.

No other way... Once the person has the location of the PDF file, they will be able to bypass your php pages to get to it.

Anon

You can use a wrapper and never expose the files to the user.

Store the files in a directory outside of your web root, then write something like this to serve up the files:

this is from: http://www.phpbuilder.com/forum/archives/2/2000/7/3/102522

There are a few other examples out there but this is pretty simple:

$fp = fopen($url, "r");
Header ("Content-Disposition: attachment; filename=\"$filename\"");
Header ("Content-type: application/octet-stream");
while (!feof($fp)) {

$buffer = fread($fp, 10240);
echo $buffer;
}

amcgrath

Right, but i'm assuming you have session checking going on, if there's no session available in the scenario above, then the person would/should be sent to a login page...