Click a link to download a file?

[php_guy]

Hello all,

 

I am trying to make a document repository for my a group of people on my website.

 

The problem is, I only want people with "membership" (i.e. that enter a correct user/pwd) to be able to get access to this page and download the files.

 

Normally in PHP we can use Sessions to create a login process -- that is not the problem. The problem is that if someone knows the direct link to the file, they can send it to a friend (who is not a member) and they can download the file without being able to log in.

 

For example, let's say an authenticated user John logs in and copies the link location of a particular MS-Word file. This link will allow anyone to download the file. How can I prevent that?

 

Thanks

[gristoi]

Dont link the anchor directly to the file:

<a href="link/to/file.doc">Download</a>

instead send it to a function that will check if the user is logged in,

<a href="http://mysite.com/downloadfiles.php?downloaddoc = doc.doc">Download</a>

then within a function on the page you have sent the link to

fetch the file using  file_get_contents or another similar method, then within the function push the file to the browser with the correct headers.

[PFMaBiSmAd]

You would dynamically output the file using a .php script. The download link would be to the .php script (with a get parameter on the end of the url that indicates which actual file to output.)  The .php script would contain your log in check code that determines if the current visitor is logged in and is authorized to download the requested file. The folder where the actual download files are stored in would either be outside (closer to the disk root) your document root folder or if that option is not available to you, you would put a .htaccess file in the folder that prevents all direct http requests to the files. You would either use some generic id in the get parameter to determine the actual requested file or if you use the actual file name in the get parameter, you would need to validate (or force) that the supplied value is just a file basename so that someone could not use directory transversal (../../....) to download a file outside the folder where you actually have the files stored. You could also generate a unique id value per visitor/per file (stored in a database table) that only allows that visitor to download a specific file, for a limited time, or only once.

 

Google for "php force download script"