How to check login before download?

ecce

I guess this must be a very common solition, but I've not found a good solution to it yet.

I work at a University and we (leagally) allow students to download software from out web site. This downloads should of course not be available to anyone, and I've tried various ways of restricting it, but the perfect solution is yet missing.

It's simple. All files are in the download folder. If you're not logged in, you shouldn't be able to access the download folder, nor any files in it.

Some files are HUGE, so downloading via "download.php" would lead to a timeout. Changing this timeout is possible, but it doesn't feel like a good solution.

If possible, I want the ordinary Apache Indexing of the download folder and the download itself handeled outside php, but I'll appreciate any solution you may suggest.

nemonoman

I believe that the PHP timeout refers to script evaluation and logic execution, not the amount of time required for a download. In effect the PHP script hands the downloading part over to Apache...the script itself should execute in next to no time.

Roger_Ramjet

A quick google comes up with all sorts of solutions:
mod_auth_mysql
apache http authentication
etc
etc
Many of these are new to me; I would personally be using .htaccess and .htpasswd

ecce

nemonoman: One solution I tried was to put the download folder outside the www root so no files could be access directly. I then wrote a download script that read the file and outputted it to the user, setting header etc so it forces a download. But the script timed out way to soon and although you could change this it didn't feel like a pro solution.

Roger Ramjet: I've looked at those;

apache HTTP authentication is pure crap if you ask me, and impossible to log out of in a decent way. mod_auth_mysql provides ANOTHER way of logging in. The one I have is rather advanced, uses LDAP and connects to eDir servers and makes a series od checks before a user is logged in. this is not possible with either apache login solution.

Horizon88

Do they have a standard login across the university network? Could that be tied into an FTP server login?

ecce

Do they have a standard login across the university network?

yes

Could that be tied into an FTP server login?

There's an idea... encrypted FTP requires a stand-alone client and a separate login, and that's making the whole thing a bit more complicated, but maybe that's the way to go.

Horizon88

Well if it's just for university students, you wouldn't even need it to be encrypted, really - just push out FileZilla or another FTP client across the intranet, and then setup a local FTP server that has their logins tied into it, then don't let the FTP server be world-accessible, just the local intranet.