Obscuring Link to File

kbc1

Hi all

I have created a login area which simply lists files in a folder structure on the server and users can click the link to view/download the files, however at the moment there is nothing stopping a user from sending the absolute path to the file on the server to someone who does not have a login and they can download it.

example:

mydomain.com/files/folder1/myfile.doc

Now without storing these files outside of root, is there anyway I can protect the files from the outside world and only allow them to be downloaded when a user is logged in and clicks the link on the script?

Many Thanks

Desdinova

Yes.

use a file that checks user login. If login is invalid, show an error message. If it is valid, set headers matching the file (like the filename, mimetype, etc), and load up the file through file_get_contents() and echo the contents.

The file itself should be placed in a dir that is not reachable through web. So this could be one level higher than your public_html or httpdocs dir. You can also put a htaccess file in a publicly available dir and set it to deny requests from everyone. That way you can only get the file through the PHP file, and that checks for the login.

some references:
php.net/header
php.net/file_get_contents

for the htaccess file google on something like 'allow deny access htaccess', that should get you some tutorials.

kbc1

Hi Desdinova

Thanks for your response.

I have all the login details verified, thats not a problem, its help with the php script that loads the file is what I need.

My script that displays the folder structure is always as such:
http://www.mydomain.com/file-search/

The URL of this never changes.

So, when I am clicking through my folder structure, lets say 5 folders deep, I need to be able to push a file from the selected folder to the PHP script which will in turn popup a box promoting the user to download or open this file.

It is help with that script I need.

Any ideas?

Thanks

Desdinova

That sounds like a change in requirements since your first post?

anyway, a popup could be received by pulling the same trick as I described earlier, but this time you add the header that tells the browser it's an attachment or download. I believe it's called attachment. This would generate the default browser box 'do you want to run or download xxx?' which I'm sure you've seen more often.