0

I have provided a straight download link in my site as below.

<a href="myfile.pdf">Download here</a>

This file is accessible to every one. But i want to restrict this based on logged in users.

Say an user have an active session / cookie upon successful login as below.

$_SESSION['login'] = 1  or $_COOKIE['login'] = 1

even if set following condition, people can manually type http://web.com/myfile.pdf and able to download the file...

if($_SESSION['login']===1 && $_COOKIE['login']===1){
    echo '<a href="myfile.pdf">Download here</a>';
}

Other Anonymous users should not be able to access the file.

logan
  • 7,946
  • 36
  • 114
  • 185

1 Answers1

5

If it were me I would use something like this to hide the link entirely from the not logged in users

if($_SESSION['login']===1 || $_COOKIE['login']===1){
    echo '<a href="myfile.pdf">Download here</a>';
}

If you are looking for specific download denying based on the session after the link is clicked, you will have to setup some type of script to handle the above code and return the file you want.

EDITED:

OK, then link it to a script that retrieves the file from a non-accessible location and feeds it back with the same if/then statement.

Something like

filedownload.php?filename=foo.bar

And then filedownload.php would look something like this.

<?php
session_start();
if($_SESSION['login']===1 && $_COOKIE['login']===1){

$file_dir = "/some/dir/";
$file = $file_dir . 'foo.bar';

if (file_exists($file)) {
    header('Content-Description: File Transfer');
    header('Content-Type: application/octet-stream');
    header('Content-Disposition: attachment; filename='.basename($file));
    header('Expires: 0');
    header('Cache-Control: must-revalidate');
    header('Pragma: public');
    header('Content-Length: ' . filesize($file));
    ob_clean();
    flush();
    readfile($file);
    exit;
}
} else {
    echo "You need to login to download this file.";
}
?>

This was copied directly from the PHP manual. And added the if/then statement.

Calvin K
  • 396
  • 2
  • 6
  • even if set, anyone can manually type the link and get the file – logan Feb 12 '14 at 18:17
  • it says, Warning: Cannot modify header information - headers already sent – logan Feb 12 '14 at 18:30
  • 3
    @logan, that script should be the only thing in the entire page. Nothing else. Not even a space before ` – Jonathan Kuhn Feb 12 '14 at 18:35
  • then you must have something else wrong with your script. This checks if the session and cookie are set. If so, downloads the file, if not, shows the error message. Make sure you used session_start(); on the filedownload.php file. – Calvin K Feb 12 '14 at 18:36
  • @JonathanKuhn : it works now.. but what if want to display some custom text in the page ? – logan Feb 12 '14 at 18:38
  • 1
    You would want to display the text on another script and use something like a meta refresh or javascript to forward the user to the download page. You can't display a message on the same page as the download script because anything output before the header will throw an error and anything output after the header will be included in the downloaded file. – Jonathan Kuhn Feb 12 '14 at 18:42
  • If you don't mind, please change your downvote to an upvote if this solved your question. – Calvin K Feb 12 '14 at 18:44
  • @CalvinK : Thanks :) I have done it., but there is no need to downvote my question as well !! because i have explained it well; you can remove downvote! – logan Feb 12 '14 at 18:49