Secured folder

[KillGorack]

Securing my upload folder “upl”

 

The upl folder is used to store anything that is uploaded by the user for their needs that is not a part of the back end, as such all content in this folder is subject to being locked down and and supplied after checking credentials.

 

The upl folder has an .htaccess file that locks down all remote access.

order deny,allow
deny from all

 

When something is needed from this directory we jump that wall with the help of apache after credentials are verified.

 

I think this is straight forward so far.

 

For images something like;

<img src=”downloader.php?app=1&id=20&type=thumb”>

 

For files something like;

<a href=”downloader.php?app=1&id=20&type=file&fileid=1212”>

 

After we check creds, we use similar to below to get data from that locked down folder.

 

$size = filesize($file);
header ( 'Content-Description: File Transfer' );
header("Content-Type: application/force-download");
header ( 'Content-Type: application/octet-stream' );
header ( "Content-Disposition: attachment; filename=\"".basename($file)."\"");
header ( 'Expires: 0' );
header ( 'Cache-Control: must-revalidate' );
header ( 'Pragma: public' );
header ( 'Content-Length: ' . filesize ( $file ) );
ob_clean();
flush();
readfile ( $file );
exit();

 

seems to work pretty swimmingly for the most part.

My problem is (or at lease a mild nuisance) is that it seems that these images loaded in this manner are not subject to the cache system of a browser? It looks like they reload every time a page is visited.

Is there a way around this?

 

[requinix]

Well, your script explicitly disables caching so the solution would be to, you know, not.

I imagine that once a file is uploaded it won't change. Maybe deleted or hidden, but not changed. Right? Set your Expires header to a date in the future, and fix Cache-Control to allow caching. And remove Pragma, it doesn't matter anymore.