hi,
i am actually protecting pdf documents in the directory
Main Topics
Browse All TopicsI will like to restrict access to a certain directory on my webserver if users directly access any file by typing in the address bar.i will like only privilege users to be able to do that by clicking a link.
how do i achieve this with php
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
Create a directory which noone will know about, and disable file listing for that directory:
http://www.javascriptkit.c
Make sure directory name can not be guessed either, make it something like /pdfs5464243589/
Then make a PHP script which will download files based on file name, file name will be passed to the PHP script via $_GET vars, e.g.:
pdfdlscript.php?myfile=myf
Then "pdfdlscript.php" will take a file from your directory and pass it to user to view/doanload. Directory name "/pdfs5464243589/" can be placed within the PHP code, and this PHP code will grab the file based on $_GET[myfile] variable. This PHP file will also take care of user authentication (e.g. via user session). So it will not give file download if someone types
http://www.domain.com/pdfd
in the browser directly, but will allow it if user is logged in.
I'm sorry but I can't go for the referer solution or the complex directory name solution. The referer solution is bad for many reasons (briefly touched upon above), but mostly because the client fills in the referer link. You can never trust the client. One must always view the client as a brilliant and diabolical opponent who would be smart enough to forge a referer link.
As for the random directory name. I think that solution works but should someone somehow get that directory name, then all security is gone. This is essentially proposing "security by obscurity", a weak solution, at best.
paradoxengine's second solution seems along the right track. A "secure" random token stored in the server should be pretty tight. Adding a timeout on the token will make it even tighter. That way you can reduce user's from accessing the links page, visiting other pages, and then entering one of these extra-secure URLs directly as the random token will have timed out. A timeout on the order of a few minutes might be reasonable.
Another variant is to store data in hidden fields on the links page and have clicking the link actually submit a form. I think the data you need in the hidden fields is the sessionID, a timeout time, the page or pages they have access to, and a signature that signs all of the hidden fields along with a random number that is only stored in the user's session on the server (the random number ensures that the user cannot spoof the signature).
There probably are other ways to do this, but one thing I'm wondering is why do you wish to do this? It seems so un-web-like.
- Neil
> .. like to restrict access to a certain directory on my webserver if users directly access any file by typing in the address bar.
I guess you're just talking about the files in the directory, not the directory itself, not to be access by direct URL. Otherwhise the only solution is: don't publish ;-)
Said this, I'd do it as follows:
1. create your directory in the web server containing the pdf files, this directory must not be accessable through URL (either outside DocumentRoot, or access restrictions)
2. write a .php script doing your authentication and accepting a parameter for the final file to be retrived
3. the .php described in 2. delivers requested files only if the user credentials match, then files are fetched from 1. and send to client
Ahoffman,
How does your solution prevent access to the files by direct typing or bookmarking of the link? I think that is what is being requested here.
Also, can't you effectively prohibit access to a directory by including an index.php that redirects to an error page (could even be a 401: unauthenticated, a 403: unauthorized, or a 404: file not found). That still leaves you with protecting the files themselves but there have already been a few solutions for that.
- Neil
There are ways of accomplishing this with custom httphandlers, requiring server side additions to make file content different, or by retrieving the file from a directory on your server that is not publicly serving to the web and writing the contents out. Do you have access to your server or is it hosted third party?
> How does your solution prevent access to the files by direct typing or bookmarking of the link?
see 1. "outside DocumentRoot" in http:#19545326
> pls go ahead with the solutions
what's wrong with mine?
@hoffman
try it out ahoffman, you will be able to link to files that aren't handle by your http, like images. the directory is secure because it server files are protected from access.
That is why the solution has to come from a type of file that the server handles.
If the files cannot be put into a database then the solution will need to be a little more difficult to implement. If the files can be stored in a database then you can protect a single page that authenticates a request then streams/writes the file dynamically from the database to the user.
Business Accounts
Answer for Membership
by: paradoxenginePosted on 2007-07-22 at 04:00:45ID: 19542244
Well, the question is somewhat unclear so we need more informations. Anyway... ']) die("AUTH REQUIRED"). Note this won't help you with images and such, and once the user has authenticated he will be able to access anyfile without clicking.
You could achieve directory security using apache basic authentication, but that will not help with clicking vs typing.
This is how I'd do that.
1- Create a "grant access.php" file. Do your authentication stuff there: if a user authenticates then put in session something like "authok".
2- In every and each php file you want to protect, add something like if(empty($_SESSION['authok
To achieve exactly what you want, you'd have to a random Token to the session at each click, then redirect the user to the page, and in the page consume the token.
Like : grantaccess.php -> Is the user authenticated? If so, generate token, put into session, redirect user to PAGEX.php -> delete token. If there's no token, deny access.
This way the user will only be able to access the page one time and only clicking on the link.