tags:

views:

34

answers:

1
+1  Q: 

Secure files with .htaccess

Hi there,

I have a set of files in a secure directory (currently secured by .htaccess, only 'the site' can access these files).

The files should only be available to members of the site; when they are logged in. I did have links in the members' area which went to a secure download script - however, using the readfile() function caused problems with the files across Browser/OS ie. losing line endings, corrupt PDFs.

So, I thought a better way might be to only allow people who have clicked the link (within the site) to access the files - hence they have to be logged in as a member. Going ditectly to the resource with it's URL would forward to a 403 forbidden page.

My .htaccess skills aren't the best, but I thought the concept would be similar to stopping hotlinking of images?

Any help - and knowing whether this is possible - would be greatly appreciated.

Best Regards,

Rich

+1  A: 

What kind of login/authentication are you using? If you're using the regular HTTP auth stuff, you can just place those directives into the .htaccess along with

Require valid-user

which would allow access only to those who've succesfully logged in. If it's session based, you'll have to fix up the intermediary PHP script, as Apache knows nothing of PHP sessions. At most it can check for the presence/content of a cookie, but then you'd be trusting the clien to not mess with the cookie's conents.

Marc B  2010-09-13 16:40:07
I'm not using HTTP auth, the login is handled by PHP. I had a secure script delivering the files, the problem with this was that due to readfile() and how it works, text files would lose their line endings when opened in notepad, which is unacceptable. Thanks :)
Rich  2010-09-14 08:50:45
Might want to check how the file was being served up. PHP itself wouldn't translate the file from (say) utf-8 into latin1 or whatever. But if you're serving up a different charset and/or content header, then the browser is free to translate as it sees fit.
Marc B  2010-09-14 13:36:16

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases