I have this scheme in mind that I think will work well, and maybe is even the way to do this sort of thing.
There is a set of files for download that I want to be able to restrict to certain users. The solution I've come up with seems pretty reasonable, but I wanted to get some feedback before I proceed beyond the proof-of-concept to the real deal.
Everything is within the web root or below. I will put the secured files in the downloads directory and protect it by denying both indexing and access ("-Indexes" and "Deny from all" in the .htaccess file). So - a user can't just dig around the directory, hoping to find something - he'll get an access denied message from Apache. Qualified users will be directed to a download script that first checks proper qualifications, then proceeds to send the proper file headers and the file contents. It can be as simple as doing the following <img href="image.php?image=fname.jpg">, where the image.php is the script that checks quals then sends the image file via fread() or similar functions. Of course, that's not the best security, but you get the idea of how the file request could be handled. I suppose for added security filenames could be given some random hash, who's value is stored against some other known in a DB.
Ideas? Comments? Suggestions?
Thanks!
Cameron
