Serving documents over https

budda

I allow users who are logged into to upload private PDF files. In order to protect them I store them in a folder which Apache is not allowed to serve from.

In order to get access to the files on the server the user must log in and then click on urls I generate in PHP.

These URLs use a download.php script (this can only be executed by people who have logged in and got a session) which basically adds a header and specifies what the file should be named as when it is saved on the client machine.

header("Content-Disposition: attachment; filename={$doconserver["basename"]}");

I then dump the PDF document to the browser using

@readfile($g_ps['core']['web_root'] . $ADMIN[$theu] . "/$file");

The above works great over a standard [url]http://[/url] connection in Internet Explorer. Over [url]https://[/url] IExplorer 6 barfs. Mozilla 1.2 however works fine, although it insists on adding ".html" to the end of my filename (a bug in Mozilla i think) !!

Does anybody have suggestions on alternative ways to serve private documents to a logged in user over https? Comments appreciated. 🙂

ThomasH

I Think I have the same problem with IE vice verca (while downloading).

Try to NOT send any header when you try to download the file. Even remove session_start() as it sends an header implicitly.

I know this is hard especially as you track the log in with sessions but I have no other solution.

Thomas