pdf security?

hame22

Hello guys,

I have set up a facility using a php login script that restricts access to a group of pdf's unless the user enters correct password and username. The only problem is that the user can skip the login once they know the direct url to the pdf. This leaves my site completely insecure!

any ideas on how to prevent this and to check for login each time a pdf is requested?

i'd appreciate and help and comments, thanks!

paulnaj

Hi hame,

Welcome to the forum!

This is not a PHP problem, but what the heck ...

First off, remember that nothing is truly secure with HTTP. If you really need security then you should seriously think about using a secure server. I don't know enough about that to really help and as I say, it's not a PHP issue.

But, you could ...

1) Put the files in a folder above the root.

2) Use a password-protected folder below the root (ask your server how to do that using an .htaccess file)

Paul 🙂

Ravenous

As mentioned above, keep files above the docroot. For instance, my docroot will be /some/path/to/docroot and I'll keep my PDFs at /some/path/to/pdfs. Simple and secure.

wilku

From what I understood you have password protection over a list of links to some pdf's on the server, like:

if (check_password())
{
 echo '<a href="files/pdf_file_1.pdf">This is the first file</a>';
//and so on
}
else
{
 print_login_form();
 echo "This site is protected";
}

. If that's not true, don't bother reading further.

The thing you have to do is, as mentioned above, move your files outside your web root and use the script to send headers apropriate to pdf and the contets of the file:

//download.php
if (check_password())
{
  if (isset($_GET['file']))
  {
   $filename = "/absolute/path/to/pdf_folder/".$_GET['file'].".pdf";
    header('Content-type: application/pdf');
   header("Content-Disposition: attachment; filename=\"$_GET[file].pdf\"");
   readfile($filename);
  }
  else
  {
      print_all_possible_downloads();
  }
}
else
{
 print_login_form();
 echo "This site is protected";
}

At the last stage, when printing possible downloads urls should look like http://your.server.com/downolad.php?file=filename_without_extension

<a href="http://your.server.com/downolad.php?file=filename_without_extension">One of the files</a>