How can I serve files from the filesystem but enforce user authentication?

Posted on 2012-03-15
Last Modified: 2016-12-08
So I want to upload files to<attachment_id>/<attachment_filename>.<extension>. So if a user_a uploads "screenshot.jpg" it would live at If the user_a wanted to view this file they could navigate to this url in their browser. My question is, how can I serve these files from the filesystem while enforcing user authentication/authorization so that user_a can view the file because they're authorized and logged in to the system but user_b can't because either 1) he isn't logged in or 2) he's not authorized?

As a real life example, JIRA implements this method.

As a side note, this seems interesting because, how could your run this kind of logic when the uri is to a jpeg and not a php script.

Please include code examples.
Question by:aristanoble
  • 2
  • 2
LVL 108

Accepted Solution

Ray Paseur earned 300 total points
ID: 37728648
...uri is to a jpeg and not a php script

A URI represents an HTTP request.  The request (usually GET or POST method) is sent to the server.  The server responds in any way that it sees fit.  The server may have rewrite rules that (for example) see requests for .jpg files and send the requests to an intermediate client authentication script.  This is one way that a server could respond.  But most servers are configured to simply serve up the image files.

If you want to keep image files away from people, the only secure answer is, "Do not put those files on the internet."  Once you have sent an image file to a client browser you have released it into the wild.  You have no more control over the file.  The client can copy it, store it, modify it, re-transmit it, republish it, etc.  Your only protections against these actions are the legal system.  And as we have seen many times in the last two decades the legal system is not a nimble match for technologists who would choose to ignore it.

My advice would be to have a data base that handled client authentication and held two other tables.  One is the table that gives the file paths to all the uploaded files.  The other table is the junction table that relates authorized clients and uploaded files.  When a client requests a directory listing, he is shown the files that are permitted to his client identity.  When the client requests a file, he is given access via an authentication script that checks the junction table for the appropriate relationship before it serves the file.

If you keep the files outside of the web root directory tree and serve the files via the authentication script, you will be fairly secure.

HTH, ~Ray

Author Comment

ID: 37729389
serve the files via the authentication script

So, is that to say the files will be served as /files.php?file_id=khj4344gkj2, for example, and I would perform the authentication in that script before I serve the file?

If so, how would I serve up various filetypes (images, pdfs, zips, etc...) through that script?
LVL 33

Assisted Solution

Slick812 earned 200 total points
ID: 37730568
greetings aristanoble, , , This may not be a straight forward code setup for you, since you will need to have error control for -
1. No Sign In, Not a Logged In User asks for a restricted file.
2  User that wants to get something (file) that he does Not have rights to.
3. Asks for a file that does not exist, or is in the wrong location (directory).

Since you ask for - "how would I serve up various filetypes"  in your post here is some code that may help you, although it DOES NOT do any User access verification, this just does some verification for the GET input and if the file exists -

// User verification would go FIRST, maybe using a Session variable

$dir = (empty($_GET['loca'])) ? '?' : $_GET['loca'];
$fl = (empty($_GET['fl'])) ? '?' : $_GET['fl'];
$ext = (empty($_GET['ext'])) ? '?' : $_GET['ext'];

// ERROR out with a 404 status and error page as =
$error = '<html><head><title>404 ERROR - File Does NOT Exist</title></head><body><h2>ERROR 404 - File Does NOT Exist on this Server</h2></body></html>';

if (($dir == '?') || ($fl == '?') || ($ext == '?')) {
	header('Status: 404  Not Found');
	echo $error;

	case 'jpg': $type = 'Content-Type: image/jpeg'; break;
	case 'png': $type = 'Content-Type: image/png'; break;
	case 'pdf': $type = 'Content-Type: document/pdf'; break;
// ERROR out if it is NOT an approved extention
	default: header('Status: 404  Not Found');
	echo $error;

// ERROR out if NOT a valid file path
if (!file_exists ('/home/domain/userF/'.$dir.'/'.$fl.$ext)) {
	header('Status: 404  Not Found');
	echo $error;

$fl = file_get_contents('/home/domain/userF/'.$dir.'/'.$fl.$ext);
// Error out if problems getting file
if (($fl === false) || (strlen($fl) < 2)) {
	header('Status: 404  Not Found');
	echo $error;

// For any file you absolutly MUST set the file TYPE in header
echo $fl;

Open in new window

Ask questions if you need more info or explanation
LVL 33

Expert Comment

ID: 37730579
sorry the line -


should be


Author Closing Comment

ID: 37730776
Thank you both.

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If your site has a few sections that need to be secure when data is transmitted between the server and local computer, such as a /order/ section for ordering or /customer/ which contains customer data, etc it would of course be recommended to secure…
It is possible to boost certain documents at query time in Solr. Query time boosting can be a powerful resource for finding the most relevant and "best" content. Of course the more information you index, the more fields you will be able to use for y…
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now