asynja wrote:I had thought of doing a redirection through PHP, but a clever person could still find out the direct link to the file and give out the URL.
Quite true, so take it one step further:
Only allow them to download files through a PHP script. That way, you can do all of the necessary procedures to ensure that they are logged in and whatnot. Assuming they are, you'd output some headers and send them the file. Here's a code snippet from one of my PHP download gateway scripts:
set_time_limit(0);
$get = basename($_GET['file']);
$path = '../files/';
header ('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header ('Content-Type: application/octet-stream');
header ('Content-Length: ' . filesize($path.$get));
header ("Content-Disposition: attachment; filename=\"$get\"");
$fp = fopen($path.$get,'rb');
while(!feof($fp))
echo fgets($fp, 102400);
fclose($fp);
EDIT: Forgot to explain - after you put this type of script in place, you would normally keep the actual "files" directory (as in my code snippet above) outside your website's root folder, meaning the files can't be accessed directly via the web. If this isn't possible, put them in a folder by themselves and use a .htaccess file to lock out access:
Order allow,deny
Deny from all
