[SOLVED] how can i disable pdf download outside a secure area

[SXGuy]

I have a website which has a members area.

 

I have set up the members area so any pages once logged in, can only be viewed by the logged in user, any pages in the members area that have been tried to access without logging in first will result in being sent directly to the log in screen.

 

However, i have a php page inside the members area which has a link to directly download some pdf files. (the name of the pdf files are stored in sql database)

 

However the problem is, if i copy the shortcut and paste it directly into a web browser i can view the pdf without being logged in.

 

So my question is, is there any way i can prevent direct viewing of pdf files without being logged in first? (i guess embed it into a php page itself might work?)

 

I had thought about trying this

 

<a href=/login/$nt[VAcc] target=View.php>

 

and then setting session permissions on View.php.

 

But i wasnt sure if that would resolve the issue of being able to just type

 

http://www.mysite.com/login/myfile.pdf

 

and displaying the pdf directly.

 

Any help would be apreciated, i quite new to PHP so forgive my ignorance.

[JonnoTheDev]

Use a download prompt to download the pdf after a user clicks instead of a direct a href link

[SXGuy]

ok but i dont think that solves the problem of just typing the location of the pdf file into a web browser and displaying it.

 

[RussellReal]

htaccess you're going to want to move all MEMBERS only files into a folder maybe called MEMBERS and then make HTACCESS redirect the user to a php page where you can see if the cookie / session is set, if it is, then use REQUEST_URI to get the file requested and then just echo the contents and set the content type, and it should replicate the file download / browser viewed pdf

 

if you want, add me on msn

 

RussellonMSN@hotmail.com

 

or

 

sex.meNOW@yahoo.com (Yahoo IM)

 

I can help you out better that way

[SXGuy]

ah htaccess! yes! that was what i was looking for.

 

Thank you

[akitchin]

ah htaccess! yes! that was what i was looking for.

 

Thank you

 

just to point out, an even easier method is to serve the file up using PHP and simply store the file above your web root. while PHP can access that directory to serve the file, browsers cannot (how do you specify a directory above the web root in a URL?).

 

keep in mind this won't stop users from saving the PDF to their hard disk once they have downloaded the file, and distributing it from there.

[SXGuy]

users downloading the pdf isnt an issue, ive watermarked the contents to its only used as a draft copy, can not be used for any legal reasons.

 

i have set everything up as follows

 

mysite.com/index.php

 

all files and pages for users who have access rights are stored at mysite.com/login

 

any attempt to access pages within /login without being a registered user will result in being redirected back to index.php

 

once logged in, my site directs to /login/member.php which lists member details and links for pdf's to download/view

 

the pdf filenames in member.php are listed as

 

echo "<a href=/login/$nt[sqlfieldname] target=_blank>View PDF</a>";

 

this would look like www.mysite.com/login/myfile.pdf if you were to view it in the browser.

 

by copying that link and pasting it directly into the browser will display the pdf file regardless of whether you are allowed access or not.

 

.htaccess file doesnt seem to be allowed with my server, it wont work.

 

therefore i think the only option left for me is to zip the pdf files, password protect them, and store the password in sql database, then echo the password onto member.php for registered users.

[akitchin]

users downloading the pdf isnt an issue, ive watermarked the contents to its only used as a draft copy, can not be used for any legal reasons.

 

i have set everything up as follows

 

mysite.com/index.php

 

all files and pages for users who have access rights are stored at mysite.com/login

 

any attempt to access pages within /login without being a registered user will result in being redirected back to index.php

 

once logged in, my site directs to /login/member.php which lists member details and links for pdf's to download/view

 

the pdf filenames in member.php are listed as

 

echo "<a href=/login/$nt[sqlfieldname] target=_blank>View PDF</a>";

 

this would look like www.mysite.com/login/myfile.pdf if you were to view it in the browser.

 

by copying that link and pasting it directly into the browser will display the pdf file regardless of whether you are allowed access or not.

 

.htaccess file doesnt seem to be allowed with my server, it wont work.

 

therefore i think the only option left for me is to zip the pdf files, password protect them, and store the password in sql database, then echo the password onto member.php for registered users.

 

... or store them above your web root and serve them using php?

[RussellReal]

yeah, what hes saying is put them in lets say a hidden folder, (atleast thats what I'm grasping)

~~ EDIT~~~

I understand what he means by "above your root" or whatever, you're in /var/www/htdocs or / and then your site goes in like /yoursite/index.php

 

or whatever so you'd go 1 step back from /htdocs/ or /yoursite/ into the /www/ or / folder, which will be inaccessible through your url, but it IS accessible to your php code

~~~~~~~~~

 

so lets say its in

 

mysite.com/login/

 

you'd put it in

 

mysite.com/login/userfiles/

 

in /login/ put a php file files.php

 

then do

 

mysite.com/login/files.php?file=mypdf.pdf

 

in files.php you'd check for the user's credentials, if he is logged in..

 

readfile("userfiles/{$_GET['file']}");

 

otherwise

 

die("You do not have access to this file");

[SXGuy]

Oh i see what you mean, store the pdf's in a location not accessable from outside the domain, but accessable inside.

 

I never thought of that! thanks i shall try that later.

[SXGuy]

Update:

 

It works like a charm thank you!

 

Added /login/ to Config.php file $directory = 'login'

 

added pdf files to /login/userfiles/

 

added View.php to /login/

 

www.mysite.com/login/login.php

 

echo "<a href=/$directory/View.php?file=$nt[sqlfieldname]

 

now it displays the pdf in a new window, without a site path.

 

www.mysite.com/login/userfiles/myfile.pdf however will still work, BUT the hyper link will only display as http://mysite.com/login/View.php?file=myfile.pdf

 

Therefore, it would require knowing that my pdf files are stored at /userfiles/ to be able to work out a direct link to the pdf. Im sure with some tweaking i can mask the real filename when the hyperlink is passed.

 

 

 

[akitchin]

i've been misunderstood.  let's say that when you log into your server, you have the following directory structure:

 

.
..
cgi-bin/
public_html/
www/

 

and whatever else in there. logically, your website resides in both the public_html and www directories (one of which is just an alias for the other). if you place the PDF files in a directory ABOVE (that is, above in the directory tree) the web root, no one can access it:

 

.
..
cgi-bin/
protected_PDFs/
public_html/
www/

 

if "http://www.yoursite.com/index.html" leads to "public_html/index.html", how do you specify the "protected_PDFs/file.pdf" in a URL? "http://www.yoursite.com/../protected_PDFs/file.pdf" ? it isn't possible.

[SXGuy]

Yes thats why i didnt do it exactly how it was described.

 

my root is /

 

my domain is

/mysite/

my index is

/mysite/index.php

 

if i add my pdf files to

/files/

instead of /mysite/files/

then i wont ever be able to hyperlink anything.

 

Thats why i decided to put them in a folder after root, but hide the folder name using a variable stored in  Config.php

 

Unless someone can clearly explain to me how you link files that are stored in a folder at / and not after /mysite/ i dont know how it can be done.

[RussellReal]

okay, you see how you said

 

/files/

 

instead of

 

/mysite/files/

 

what akitchin is saying is..

 

you can access /files/ with php from /mysite/login/view.php

 

and I'd assume probably with chdir

 

I havn't practiced this method much, so don't quote me I'm just Mr. Clarification lol

[SXGuy]

ok thanks, ill try that out, i just assumed that php couldnt locate anything in the root directory, unless its stored in a folder after the domain directory, i guess i am prob wrong, im quite new to php.

 

I havent written websites for about 10 years or so, and only then i had basic html knowledge lol.

[RussellReal]

if you have msn you could add me and ask me questions and stuff.. I'm available like 20/7 I'm a freelancer but I prefer helping people lol

[SXGuy]

Just to update everyone that helped me, i fixed the problem, and this thread can be marked solved

 

All i had to do, was set the pdf to have the option to open or save, and that fixes the direct path in the browser window

 

<? 
include 'Config.php';
session_start();
if(!session_is_registered(myusername)){
header("location:Login.php");
header("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1
header("Expires: Sat, 26 Jul 1997 05:00:00 GMT"); // Date in the past
}
$pdf = $_GET['file'];
if(preg_match('/^[a-zA-Z0-9_\-]+.pdf$/', $pdf) == 0) {
print "Illegal name: $pdf";
return;
}
header('Content-type: application/pdf');
header('Content-disposition: Attachment; filename=' . $pdf);
readfile($pdf);

?>

 

Thanks for everyones help

[redarrow]

Well done.

 

Tell us what each line does in your code be nice.

[SXGuy]

Sure

 

<? 
include 'Config.php';       //Variables stored for database lookup
session_start();
if(!session_is_registered(myusername)){    //checks if user is logged in
header("location:Login.php");         //location of login
header("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1
header("Expires: Sat, 26 Jul 1997 05:00:00 GMT"); // Date in the past
}
$pdf = $_GET['file'];                //'file' sent from Login.php
if(preg_match('/^[a-zA-Z0-9_\-]+.pdf$/', $pdf) == 0) {
print "Illegal name: $pdf";
return;  //looks to match the pdf name given by ['file']
}
header('Content-type: application/pdf');  //header info for pdf formats
header('Content-disposition: Attachment; filename=' . $pdf); //marks file as an attachment
readfile($pdf); //then outputs the file
?>

 

Ok so what we have is first, the page checks to see whether the current user is logged in, the page includes a config file with details on connecting to sql database to look up the pdf name.

 

set the option to not cache the page, then i use $_POST to get the filename which was sent to the page by directing to View.php?file=$nt[sqlfieldname]

 

Checks to see whether the name given for the pdf exsists on the server.

Then we set up the header information for the pdf, i could have added size of file etc, but realfile seems to handle that ok, when displaying the attachment for download.

 

So when you use Readfile(), it will pop up with a message asking if you wish to open or save the file, and the window behind that displayed it, only has a link pointing to the php page and the pdf name.

 

once an option has been chosen the page behind will disapear, leaving you with the original Login.php page and the file you either opened or saved, without displaying the direct file path to it.

Hope your able to understand my explanation.

 

[redarrow]

Thank you sounds good to me.

 

Have a grate xmas m8.