1

I have a directory that contains many sensitive pdf documents. If someone knew the filename, they could simply bypass my login system and view the file just as if it were an image.

If I moved the directory out of the document root how would I show it to the user once they were logged in? I'd need to pull the requested file back into the document root but not sure how to do this.

If there are any other suggestions aside from removing the directory from the root, I'm open to that as well. Thanks.

tukar
  • 13
  • 2

2 Answers2

2

Serve file through PHP so you will always know who/when/what will download.

fabrik
  • 14,094
  • 8
  • 55
  • 71
  • Thanks fabrik, can you give me an example, I know I can do this with php but how. – tukar Mar 30 '11 at 10:25
  • Look my previous answer today: http://stackoverflow.com/questions/5484207/how-to-make-download-script-in-php/5484223#5484223 – fabrik Mar 30 '11 at 10:25
  • OK, so fabrik, if I use header(), would I still use file_get_contents on a PDF? I thought that was only for text – tukar Mar 30 '11 at 10:32
  • Of course, the only thing you need to adjust is the correct MIME header which is in this case `application/pdf`. – fabrik Mar 30 '11 at 10:33
  • Exactly.. Thank you my friend. – tukar Mar 30 '11 at 10:36
0

Add in .htacces file following line:

RewriteRule ^(dir_name_1|dir_name_2)/? /error/404 [L]
Matej Baćo
  • 1,312
  • 2
  • 10
  • 12
  • Thanks MatejB. If I use this, when Apache serves the file, won't this stop the file? Or send the user to my 404 page? – tukar Mar 30 '11 at 10:27
  • Yes it will stop the file. You could set some cookie when user loges in inside app and add condition to redirection like this `RewriteCond %{HTTP_COOKIE} !^.*cookie-name.*$ [NC]` – Matej Baćo Mar 30 '11 at 10:36
  • 1
    Solution with PHP is more flexible ;) – Matej Baćo Mar 30 '11 at 10:42