tqla Posted September 19, 2007 Share Posted September 19, 2007 I have built a password protected member area. In this area content pages are not accessible unless someone is logged in. One of the protected pages contains a link to a PDF file. Here's my question. If you hover over that link you see the absolute URL to that PDF file. What's to stop someone from downloading the PDF directly from now on and bypassing the login page? Is there a way to prevent someone from going directly to the absolute URL to download stuff by forcing them to login first? I know how to do this with content pages, I do it all the time, I'm talking about links ON the content pages to files such as PDF's, zips, etc. Is this an htaccess thing? Thanks. Quote Link to comment Share on other sites More sharing options...
cooldude832 Posted September 19, 2007 Share Posted September 19, 2007 A few options on this. One is store the file in a a database, then make the link to it be a creation off the database of the binary file content. Second choice is to use chmods and set that user as the "group" while logged in. PDFs are harder than images to do because images have the whole gdlibrary that is commonly used. There is a pdf creation lib in php, however it is not as well used and tutorials are limited on it, however if you are just taking a pdf storing as binary and recreating it shouldn't be too hard. The trick is just to use a layering effect Step 1 Link to the file (Its a php file first) step 2 php file checks if login is valid, Step 3 Retrieves the proper file and opens it in a new window. The file never has an absolute URL because it is not a real thing, only dynamically made (You can use Post to protect the file creating from intrusion via people nabbing GET Variables) I know a lot of banks use a system similar to this for displaying checks online. Quote Link to comment Share on other sites More sharing options...
Psycho Posted September 19, 2007 Share Posted September 19, 2007 There is a better way, use the header() function to "serve" the file to the user without the user ever knowing the true path to the file. This is the method many download sites use where the ID to the file is passed on the query string. <?php //Authenticate user //Set the header for a pdf header('Content-type: application/pdf'); //read the contents readfile('path/filename.pdf'); ?> When the user is directed to this page you can first authenticate them. If the authentications fails direct them to the login page. If auth succeeds then they will be presented with the PDF just as if they directly linked to it. Quote Link to comment Share on other sites More sharing options...
cooldude832 Posted September 19, 2007 Share Posted September 19, 2007 Good call on that one, and you can store the data in binary also with that and not need the redierct I described. Quote Link to comment Share on other sites More sharing options...
tqla Posted September 20, 2007 Author Share Posted September 20, 2007 Ah ha! Thank you very much for helping me cooldude832 and mjdamato. Both solutions make perfect sense. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.