Security of files in a folder

mdowling

I'm creating a database for old tests that people have taken. The tests are scanned in and stored in a folder on my server. In order to see them and navigate the many pdf files, you have to login with a username and password. I know how to do all that, but how can I password protect .pdf files on my server so that they can only be accessed from the point after the user has logged in? Everything works dandy except for the fact that people can directly link to a .pdf file (a huge security risk). Also, if I don't password protect the directory of the pdf files, can webcrawlers find the information and store it in their search database?

Kudose

.htaccess should prevent direct linking and spidering.

Alternatively, you could place the PDF files outside of the web root and force the script to serve the file.

Users cannot grab content outside of the web root, but scripts can.

sfullman

Definitely if the files a confidential, place them outside the web root. This way you can control access trhough a single script. Knowing the password for .htaccess would still not allow them to get the files unless they were in a specific sequence.

To REALLY protect the files, you would chmod them to something only root could access. Then you could create a php file which ran server side, owned by root, and call it by system() command.

Sam