1

Assume i want to host some pdf files, under a certain directory on my server (e.g. domain/myfiles ). For that reason i create a unique - hard to guess - link, using some common php functions and then put the file inside this certain directory ( domain/myfiles/hardToGuessHash.pdf ).

However if someone access my server through domain/myfiles/hardToGuessHash.pdf he will be able to see and download this file.

Is there any way, to require session access in advance, in order to stop unauthorized access on my documents ? I searched on StackOverflow but i really did not come up with something.

Clarification : I do not want to hide the download link. I want to require verification for download. For example, if a person A -that has download rights on the file- copies-pastes the download link on a person B, then person B should not be able to download the file, just from the link !

Thanks !

Themis Beris
  • 980
  • 1
  • 11
  • 25
  • found this http://stackoverflow.com/q/17533806/ and http://stackoverflow.com/q/10997516/ after Googling "hide files download php" and you can further your search from there, even adding "sessions" to that list of keywords. Just use a conditional statement on sessions if required and as an added method; *easy as pie*. Ideally, using a database may also prove to be beneficial. Plus, you can place your files outside the public real of your site. – Funk Forty Niner Jun 02 '15 at 01:15
  • @Fred-ii- Maybe i should have clarified that i do not want to hide the url link. I will update the question. – Themis Beris Jun 02 '15 at 01:19
  • place out side of root, serve via php file that will check the session –  Jun 02 '15 at 01:21
  • possible duplicate of [Allow logged in user to Download File in Php else nobody can't](http://stackoverflow.com/questions/5813350/allow-logged-in-user-to-download-file-in-php-else-nobody-cant) –  Jun 02 '15 at 01:21
  • @Dagon trouble is with that link, is that they can probably pass on the direct link to someone else. Personally, I would use like you say, outside the root as I stated to the OP, along with the links and/or db. The name of the game here is to "protect from unauthorized access", which the OP doesn't seem to want to use and "should" use. – Funk Forty Niner Jun 02 '15 at 01:23
  • oh yheah bad dup, just do it as i said above –  Jun 02 '15 at 01:25
  • @Dagon if it's outside of the public root, yeah that would work. If anyone tries to access it directly, then it will fail. Hard to follow the OP's request here. They're probably over-thinking it. – Funk Forty Niner Jun 02 '15 at 01:27
  • yheah i answer below edit if you like to to do some paid work –  Jun 02 '15 at 01:27

1 Answers1

4

so store files outside document root- then NO one has direct access.

all files are severed via php page that checks the session:

<?php
session_start();
if (isset($_SESSION['logged_in'])) { //or what ever session check you like
  $file = '/this/is/the/path/file.mp3';

  header('Content-type: audio/mpeg');
  header('Content-length: ' . filesize($file));
  readfile($file);
}else{
echo 'you cant have the file';
}
?>

i admit to stealing most of this Allow logged in user to Download File in PHP else nobody can't

Community
  • 1
  • 1