PHP Authentication of HTTP Download

Daveg

Hi all,

I have a website that has it's own inbuilt PHP membership system for accessing pages and that works fine. However, I want to be able to add some multimedia files that can only be downloaded by certain membership groups, even if someone uses a direct URL to the file and they do not have permission.

I don't want to use standard HTTP authentication, but instead have my normal PHP security scripts make the decision as to whether that user can download the file.

Is there a way of doing this that anyone is aware of?

I use Apache, is there anyway of putting an 'intercept' in place to call a script before it allows a download? The only other way I thought of doing it is to call a php download script with a parameter for a file on the server and that script returns the binary data of the selected file from the server. The actual filename of the file being downloaded is never disclosed.

Any help much appreciated!

Moonglobe

just keep the files outside the document root, then pass the filename as a get param (?file=blah), do your checks, if it works, send the right headers and give a thankyou, if it doesn check out, dont send the headers and tell them it doesnt work.

Daveg

Thanks very much for the reply Moonglobe 🙂.

Can you just expand a bit on 'send the right headers'? Are you talking about a redirect?

Kudose

Taken from http://www.php.net/header

<?php
// We'll be outputting a PDF
header('Content-type: application/pdf');

// It will be called downloaded.pdf
header('Content-Disposition: attachment; filename="downloaded.pdf"');

// The PDF source is in original.pdf
readfile('original.pdf');
?>

Daveg

Thanks guys. Played around with that and got it working 😃