[Resolved] Security and authentication question

maxxd

Hi. I am currently working a site with .pdf files in a folder restricted through the ISP's control panel, which is as should be. However, there is a custom PHP script allowing users to log in against a database of username/password. I set a session variable upon validation, and check for it on each .php page within a "protected" directory. However, I have no idea how to protect the pdf's from outside viewing without using the cp to set the .htacess file for the directory.

Now, I've searched the forums and checked out the PHP manual - perhaps my brain isn't working all too well right now, but the answers aren't really making much sense. The PHP_AUTH_USER, PHP_AUTH_PW, and PHP_AUTH_TYPE - are these the things to use to get through the .htaccess directory protection? Or should I use a 'WWW-Authenticate: Basic realm="My Realm"' header? And if so, how exactly do I put this in before the pdf is downloaded to the client? Or do I need to simply send a "valid-user" header?

Like I said, it just doesn't seem to be making much sense to me right now - my brain is beginning to hurt - so sorry if the question is very basic. If there are any tuts anyone knows of that explain things in depth, I'd really appreciate a pointer to the addy. Of course, opinions and instruction are always welcome 😃 .

Thanks!

AstroTeg

I would opt for a simple approach:

If possible, but the PDFs in a non-web browse-able directory. A directory above the web site's root directory would be fine. Otherwise, an .htaccess controlled directory will work ok (just don't give anyone the user name or password).

Then build a PHP script which, after the proper security credentials have been checked, you have PHP read the PDF file and echo it back to the browser (you'll need to include the proper PDF headers so the browser knows its a PDF your sending).

Using this approach, you maintain control through the credentials you setup (be it a session, a user/pass combo, an IP address, whatever).

maxxd

Thanks for the advice - sorry it took a few days to say so... Been kinda crazy. Anyway, I'll give a shot to parsing the pdf through php - a simple include (unfortunately) doesn't work, so I have to dig into the headers of which you spoke and figure out what to pass when and where. Also, just for my own future reference, I'm going to try to figure out how to use php to ask the user for username/password, authenticate it against a mysql database, then pass the authentication on to the .htaccess file for access to an entire directory. (I'm probably not explaining the above properly, but I'm not really sure where I'm supposed to be starting on this, which is why it's causing such headaches...)

I've found a few tuts on doing the above, one of which looks promising - I'll be looking at it later today. If anyone knows of any tuts on the process outlined above - or even a good starting point for searches on the sunject and whatnot, I'd still very much appreciate the help.

Thanks!

maxxd

Astroteg - thanks for pointing me in the right direction. got it now. I simply put the folder with the pdf's one level above the web root and use the following code -

header("Content-Type: application/pdf");
readfile('../pathToFiles/$filename.pdf');

and it works brilliantly!

Thank you!