bookmarking secured files

[micah1701]

Hi all, sorry I haven't been on here for a while - I recently got a promotion at work and my main project is in ColdFusion (of all the g-d aweful languages) but anyway...

Usually, for secure "member only" sites, I have a simple log in that checks the user's credentials in the database and if they are authorized, I set some session variables and on each page of the site, check those vars to make sure the member is logged in and has access to the site.

This has always worked, save for the problem of users who can bookmark, or otherwise hotlink the non-php files and access them when they are not logged into the site.

example: user goes to the page "membersOnly.php" and is not logged in, so they get booted to the log in screen. so they log in, and go back to the php page which now recognizes them and shows the page, which includes a link to a PDF file. They right click on the URL to the PDF, copy it, and e-mail the URL to their friend who does NOT have access to the site. The friend clicks the link and can view the file - because there is obviously no server side check to see if they are logged in or not. I cant exactily modify the PDF files to do that.

So, how do I get around this?

let me point out that I've done some of the obvious. In the past, I've created a "download" file that reads a file and displays it to the logged in user - thus hidding the true location of the file. (this technique also works well for storing the file as a blob in the database) -- The problem is that this is cumbersome for pages with lots and lots of file links.

the other thought I've had, which seems more obvious, is to use HTTP Auth. This would achieve exatily the out come I am looking for -- locking all files down and making them only accessable to logged in users -- but HTTP Auth has its own limitations and is not all that robust. Especially when it comes to maintaining a .passwd file for all 8 zillion users.

I know you can use PHP to send the PHP_HTTP_AUTH header, but I'm really having a bit of a brain fart thinking how to implement this. Any thoughts?

sorry for the wicked long post - i get carried away sometimes.

[redarrow]

What about a users has to enter a password to get the downlaod for the pdf file.

Also what about if the email is not theres the email with file can not be sent.

I tried lol

good luck.

[redbullmarky]

for secure content, i always stick the files in a folder outside the web tree. my database stores the filename, size, type (application/msword, image/jpeg, etc). i then use a script which retrieves this file and sends it to the browser. to this day, i have never used the default HTTP_AUTH methods as i find that i don't have as much control over them and they sometimes appear 'clunky'.
anyway, to the point - this will let you, using php, decide on a file by file basis (as opposed to protecting an entire directory) who can get what file.

so instead of the link:
[a href=\"http://www.mysite.com/thisfile.pdf\" target=\"_blank\"]http://www.mysite.com/thisfile.pdf[/a]

you would have:
[a href=\"http://www.mysite.com/getfile.php?file=thisfile.pdf\" target=\"_blank\"]http://www.mysite.com/getfile.php?file=thisfile.pdf[/a]

and the getfile.php would do the necessary security checks and presenting the file to the user.

[b]EDIT[/b]: to elaborate, all getfile.php does is gets the filename and type ($_GET['file']) from the database, opens the file, sets the headers, and outputs the result. much the same as a thumbnail script if you've used one for images.

cheers
Mark