header("Location: my_pdf_page.php");
I would list the pdfs as links on my_pdf_page.php and have a download script to start them downloading when the link is clicked; this will build character! (meaning you get to find out browser-specific quirks).
If you just redirect to
http://somesite.com/my_file.pdf
then really my_file.pdf is not "password protected" at all. If someone knew its URL they could go straight to it. Really depends I guess on what you thinks is "satisfactory" means of accessing the pdf. my_pdf_page.php would first check that the user is logged in, otherwise redirect to login screen.
OK, didn't take me long to dig up this bit that forces the download of PDF, YMMV, use at your own risk 🙂
//$file is the name of the file i just carefully extracted from the request (ie $_GET most likely).
//its value is NOT TO BE TRUSTED
if( $file && preg_match( "/^\./", $file ) ) {
//bogus, logout user
header( "Location: rptlist.php?logout" );
exit;
}
if( $file && file_exists( REPORT_REPOSITORY . "/$file" ) && preg_match( "/\.pdf$/", $file )) {
//looks like a good filename
# start download
$path = REPORT_REPOSITORY . "/$file";
header("Content-Type: application/zip\n");
header( "Content-disposition: attachment; filename=\"$file\"\n" );
header("Cache-Control: cache, must-revalidate");
header("Pragma: public");
header( "Content-transfer-encoding: binary \n" );
header( "Content-length: " . filesize( $path ) . "\n" );
#header("Cache-control: private\n");
//send file contents
//should really check $fp isnt FALSE here:
$fp = fopen( $path, "rb" );
fpassthru( $fp );
fclose( $fp );
exit(0);
} else {
//send back to the page listing the available PDFs
header( "Location: rptlist.php" );
}
I just noticed i have application/zip in the code but this was definitely to download a pdf. Its been a while since I threw this together and most certainly its code I googled (for the most part).
