Hello all,
I'm looking for a good way to protect files from being downloadable, unless they are requested through a script which does some authorization checking.
This is the following layout I have at the moment:
www.myhost.com/
this is the start page, users log in here
www.myhost.com/user/files/all_the_users_file
if a user wants to download something, he accesses it through a script which checks if he's authorized, and if yes lets him download the files.
the problem I have is that he can omit the script and simply put the full url to his files and be able to download them, thus any other person could do this aswell, if they know the filenames (directory listing in apache is turned off).
I haven't yet had the right idea on how to achieve this layer of security. One idea i had was to store all files below the wwwroot set in apache, and if a file gets requested, I move it to a temporary accessible folder, the user can download it, and when the download is done, or a given amount later, i remove the file again (would require a cronjob to remove the files again etc). But since the site will be under heavy load, I doubt that this would be a good solution.
Using .htaccess files isn't a solution either I think, since i'm using my own login system. Unless PHP can work together with .htaccess in some way I don't know of yet.
Anyone has any ideas on this or could direct me to a place where I could fine information about this?
Thanks in advance
Emanuel
