• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 104
  • Last Modified:

Secure downloading of restricted files on IIS6


I am designing a website for a client who would like to offer privileged PDF downloads to site members only. I have an ASP script in place that sets up a members only area using session variables. I can of course only provide the links to the PDF documents on only those pages, but that would not stop someone from downloading the documents if they know the URL.

I have ASP 3.0, ASP.NET 2.0 and PHP 5 at my disposal.

I have toyed with several imperfect solutions;

- I cannot have restricted directories (like in Apache) because my current web host does not offer them.

- The "force download" scripts I have found to work in ASP are sketchy at best - I find that when a file is downloaded from an off-line folder it can be corrupted when the user tries to open it

- I'd like to avoid having it be sent in an automatically generated e-mail, because I feel this is slow and cumbersome and would not provide a very good user experience on the site.

Any suggestions would be appreciated - thanks,

1 Solution
// We'll be outputting a PDF
header('Content-type: application/pdf');

// It will be called downloaded.pdf
header('Content-Disposition: attachment; filename="downloaded.pdf"');

// The PDF source is in original.pdf

There's you php code, now for protecting the files:

Notice the line that says readfile: store the files out of your webroot ex:


instead of


PHP should be able to include() files out of your webroot, but they are not browser accessible. Now, if you need me to write a script to authenticate the user and protect the PHP file, just ask.

If your host allows or supports folder protection, you could look into this too.

Another option would be to associate each file with a md5 hash value that only site members will be emailed or given.  Have all the site members enter this md5 hash value to download the file.  This way even if a non-site members knew the folder and filename, they'd need the md5 hash value too, to be able to download the file and unless they hack a subscribers email program like hotmail or gmail or even outlook, theres no way of getting the md5 hash...

Also another option that i just though of - ask the site members to answer a security question like whats your mothers maiden name or whats your favorite color to gain access to a list of md5 hashes or a list of download links that bring them directly to a non-public folder on the server...

I don't see any wrong with emailing the site members the file instead of making them come to your site to download the file from your site.  It is not slow and cumbersome!  if you want to protect the files, and you start crossing off options, your not leaving yourself very many option to use!!

My 3rd option would be to change servers.  I suspect your on a windows server running IIS since you don't have htaccess support.  If you had Apache server, you could use the .htaccess support which is really really secure protection method for folders and files, but this is just an option.  I personally use apache and .htaccess to protect my folders and files

Hope this helps ;-)

Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

aj72886Author Commented:
jsev1995, that sounds like what i was looking for - I have used the header() function before to send javascript headers, but did not think to use this for PDF!

I feel you have earned your points, but is there any chance you could direct me to somewhere with examples of using php to connect to an MS Access database? I have only ever used MySQL with php.
if this is another question, you should open another thread.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now