User Login - Secures PHP files but not other types (ex PDF)

deco

Hi
I have a login on my site. Its not a high security login, its just as much to keep people from stumbling into a section and getting confused, regardless here is my issue:

I'm using a session to make sure the user that is viewing the content has gone through the authentication process. This works fine, I just check at the top of any PHP pages in the secure section of the site. The problem is there are a lot of PDF files, and they can be accessed if somebody happens to know the link. Its a minor issue in this case, but I would like to know: How can I make it so they can't access PDF or other files in the secure area?

Thanks!

cahva

Hi,

You can secure your files quite easily with the help of mod_rewrite.

Heres an example.
Let's say you have a folder in your www-root called pdf.

Create this .htaccess file and copy it to the pdf folder:

RewriteEngine On

# Condition to check that the file exists
RewriteCond %{REQUEST_FILENAME} -f

# And redirect .pdf files to download.php
RewriteRule ^(.+)\.pdf$ download.php?file=$1 [L,NC,QSA]

Then create download.php and copy it to pdf folder also:

<?php
session_start();

if (!isset($_GET['file']))
{
	exit;
}


if (!isset($_SESSION['logged_in']))
{
	echo 'You are not authorized to download this file!';
	exit;
}

$file = $_GET['file'].'.pdf';
if (file_exists($file))
{
	header('Content-type: application/pdf');
	readfile($file);
	exit;
}

In this example, we check that there is a session variable $_SESSION['logged_in']. You probably have similar in your auth so copy that name to this script.