Secure downloading of restricted files on IIS6


I am designing a website for a client who would like to offer privileged PDF downloads to site members only. I have an ASP script in place that sets up a members only area using session variables. I can of course only provide the links to the PDF documents on only those pages, but that would not stop someone from downloading the documents if they know the URL.

I have ASP 3.0, ASP.NET 2.0 and PHP 5 at my disposal.

I have toyed with several imperfect solutions;

- I cannot have restricted directories (like in Apache) because my current web host does not offer them.

- The "force download" scripts I have found to work in ASP are sketchy at best - I find that when a file is downloaded from an off-line folder it can be corrupted when the user tries to open it

- I'd like to avoid having it be sent in an automatically generated e-mail, because I feel this is slow and cumbersome and would not provide a very good user experience on the site.

Any suggestions would be appreciated - thanks,

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

// We'll be outputting a PDF
header('Content-type: application/pdf');

// It will be called downloaded.pdf
header('Content-Disposition: attachment; filename="downloaded.pdf"');

// The PDF source is in original.pdf

There's you php code, now for protecting the files:

Notice the line that says readfile: store the files out of your webroot ex:


instead of


PHP should be able to include() files out of your webroot, but they are not browser accessible. Now, if you need me to write a script to authenticate the user and protect the PHP file, just ask.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
If your host allows or supports folder protection, you could look into this too.

Another option would be to associate each file with a md5 hash value that only site members will be emailed or given.  Have all the site members enter this md5 hash value to download the file.  This way even if a non-site members knew the folder and filename, they'd need the md5 hash value too, to be able to download the file and unless they hack a subscribers email program like hotmail or gmail or even outlook, theres no way of getting the md5 hash...

Also another option that i just though of - ask the site members to answer a security question like whats your mothers maiden name or whats your favorite color to gain access to a list of md5 hashes or a list of download links that bring them directly to a non-public folder on the server...

I don't see any wrong with emailing the site members the file instead of making them come to your site to download the file from your site.  It is not slow and cumbersome!  if you want to protect the files, and you start crossing off options, your not leaving yourself very many option to use!!

My 3rd option would be to change servers.  I suspect your on a windows server running IIS since you don't have htaccess support.  If you had Apache server, you could use the .htaccess support which is really really secure protection method for folders and files, but this is just an option.  I personally use apache and .htaccess to protect my folders and files

Hope this helps ;-)

The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

aj72886Author Commented:
jsev1995, that sounds like what i was looking for - I have used the header() function before to send javascript headers, but did not think to use this for PDF!

I feel you have earned your points, but is there any chance you could direct me to somewhere with examples of using php to connect to an MS Access database? I have only ever used MySQL with php.
if this is another question, you should open another thread.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.