0

I have a public website with 1 page that is password protected. On this page are links to several pdf files and just some text. This page and the files are currently protected using .htaccess and .htpasswd files. When users try to access it a pop-up shows up asking for a log-in name and password.

It works, but I don't like how it looks. I'd like to have a page on the website where people can log in, with the same look as the other pages. (Like most websites have)

I have looked around for a while and found this: Easy way to password-protect php page After messing around with it for a bit I got it to work and I successfully password protected one page. The problem however are the pdf files on the page. I have no idea what to do with those.

So for my question, I'd like the following:
1) A nice looking page where people can log in.
2) 1 password protected webpage behind this log in.
3) Multiple password protected PDF files that are accessible through this webpage. (They can just open in the browser)
There is only 1 name with 1 password.

Any suggestions on how this can be achieved?

Community
  • 1
  • 1
user3478130
  • 17
  • 5
  • May I understand that you want all pdf files accessible through that one single portal page which is password protected, but prevent people from accessing the pdf files directly without authenticating first? – Godinall May 13 '14 at 14:00
  • Okay 2 ways to do so, one as suggested below using session control, second you can put all your downloadable pdfs outside your html document root, so typing the urls directly will not work but you can still referring them with links for members only. – Godinall May 14 '14 at 07:14

2 Answers2

1

The problem is that on your 'secure' page, you can't provide a static link to the PDF file, else anyone who knows the link, has the PDF. This is security through obscurity, and is considered bad practice.

Two possibilities immediatelly come to mind to protect your PDF's:

  1. Don't link to the PDF itself, but to a script that 'transfers' the PDF. The PDFs are in a directory that is not accessible (out of the root) for the web, but accessible for the script. The script reads from the PDF and writes to the client.
  2. Link to the PDF itself, but configure the webserver to check for a valid session with your script. Users who use the direct link but are not logged in, receive an error. Bonus: configure the error page to go to the logon page. Using mod_auth_form could be the easiest way here.
Konerak
  • 39,272
  • 12
  • 98
  • 118
  • Thanks for the answer. For 1), am I correct this would only work with PDF files just contain text? 2) Looks interesting. I'd have to look into it further to see if I can do anything with it / figure out how it works as it not something I've played with before. – user3478130 May 13 '14 at 14:38
  • Solution 1 works for every file: you read the file and "stream" it (with the correct headers) to the browser. The browser doesn't even see the difference. Solution 2 is pretty secure and not too difficult. – Konerak May 14 '14 at 12:08
0

I know that PDF files can be password protected, would you consider this as an option?

You would do this when you are creating the PDF file.

Jose B
  • 2,030
  • 2
  • 19
  • 17
  • That's some nice out of the box thinking, but I'd prefer the current situation compared to that. – user3478130 May 13 '14 at 14:37
  • No worries, sounds like Konerak's answer would suit your needs better; you need something more like a mini login system. – Jose B May 14 '14 at 07:45