Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How to Password Protect Specific Files on a Web Folder

Posted on 2013-05-12
18
Medium Priority
?
444 Views
Last Modified: 2013-05-12
We currently mail USB drives to our board members with confidential PDF files on them.  We created a php website that allows the members to log in and access the files but quickly realized that one of the members was hiding her referrer info so the htaccess file wouldn't allow her to download the file (not to mention referrers can be faked).  So, now we're back to square one trying to figure out a way to securely give the members access to the PDF files.  We don't really want to use htaccess to password protect the folder.  We've come up with:

1) Password protect the PDF file and just provide a direct link
2) Have them use FTP

Any other options anyone can think of?

Thanks.
0
Comment
Question by:Jason92s
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 4
  • +2
18 Comments
 
LVL 58

Expert Comment

by:Gary
ID: 39159817
Why not just a simple login form that streams the pdf.
Doesn't have to be anything complicated - how many members are we talking about?
0
 

Author Comment

by:Jason92s
ID: 39159826
It's actually a collection of about 60-100 PDF files depending on the size of the hearing and can be anywhere from 100mb to 2GB in size.  We usually zip the files so they just have to download the file to their computer and extract.  Only about 10 members need access.  I have the login stuff all set and thought I could do this through referrers but that blew up.
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 39159833
Why isn't the login good enough?  I would put the PDFs outside the web root and present them for download (thru PHP) only to logged in users.
0
Supports up to 4K resolution!

The VS192 2-Port 4K DisplayPort Splitter is perfect for anyone who needs to send one source of DisplayPort high definition video to two or four DisplayPort displays. The VS192 can split and also expand DisplayPort audio/video signal on two or four DisplayPort monitors.

 
LVL 58

Expert Comment

by:Gary
ID: 39159841
Would just go with the simple login, store the username/password or whatever format you wish to use to validate who the user is in the post back form and then just stream the pdf.
It's just one php page and no-one will know where the pdf's are stored.
0
 

Author Comment

by:Jason92s
ID: 39159857
I like having the files outside root but I can't figure out how to link to them in PHP.
0
 
LVL 58

Expert Comment

by:Gary
ID: 39159867
How far outside the root? Is it still within the site folder structure - you can still stream it.
If not you could create a symlink to the folder.
0
 
LVL 79

Expert Comment

by:arnold
ID: 39159870
To avoid unauthorized downloads by referencing a link, the PHP file outputs
content-type: application/PDF filename=filename
And then streams the raw data forcing a download.
This is what the other experts referenced.
I.e.
<a href=https://www.yourdomain.com/getmydocument.php?docid=25565677>Get document</a>

The php code will verify the request is coming from a logged in/authenticated user.

Reliance on referrer is not a security mechanism.

Alternatively, you could add a java applet through which the document will be displayed within the browser.
0
 

Author Comment

by:Jason92s
ID: 39159873
/home/mysitename/public_html is where my regular content is

I created a directory here:
/home/mysitename/mem_files

I came across this:

http://forums.phpfreaks.com/topic/129814-solved-accessing-images-and-files-that-are-located-outside-document-root/
0
 
LVL 58

Assisted Solution

by:Gary
Gary earned 668 total points
ID: 39159879
That is still in your site root just not directly accessible from a browser.
You can verify with
<?php
 echo $_SERVER["DOCUMENT_ROOT"];
?>

And you should get
/home/mysitename

Then you're good to go with streaming.
0
 
LVL 79

Assisted Solution

by:arnold
arnold earned 1332 total points
ID: 39159880
The secure.php in the discussion link is what you need to start with that includes user verification.

How do users currently login? Are you using .htaccess with require user parameter, or you have a login form in php?
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 39159889
That link is a good example of how to get and deliver the files.
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 39159891
Why not use PHP client authentication to protect the pages that allow access to the PDF files?  Put the PDFs outside of the web root directory and use a "force download" script to link to them.  Password protect the download script with something like the design shown in this article.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html
0
 

Author Comment

by:Jason92s
ID: 39159930
I tried the secure.php in the link I posted above and it works great for PDF files but when I tried to use a zip file, it shows as trying to download secure.php (shows the correct filename when downloading a PDF).  When I look in File Manager on my hosting account it shows the Type as "package/x-generic" for my zip file so I'm wondering if that has anything to do with it.
0
 
LVL 79

Accepted Solution

by:
arnold earned 1332 total points
ID: 39159938
It is within your control when outputting content-type.
Secure.php is using an external call to determine the mime type of the file.

Yu could use a test for a filename that is .zip and output the correct MIME type application/zip

Etc.
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 39159943
This script teaches how to force a download.  It does not require any knowledge of the file type.  Using the example in the article you might want to add access_control().  Then you would have a password-protected download script.

<?php // RAY_force_download.php
error_reporting(E_ALL);
ini_set('display_errors', TRUE);
ini_set('log_errors',     TRUE);


// DEMONSTRATE HOW TO CAUSE A FILE DOWNLOAD


// REQUIRED FOR USE WITH THE PHP date() FUNCTIONS
date_default_timezone_set('America/New_York');

// A FILE TO DOWNLOAD - THIS LINK COULD COME IN THE URL VIA $_GET, OR COULD BE GENERATED INSIDE THE SCRIPT
$url = "http://www.LAPRBass.com/RAY_short_text_file.txt";

// THE USE CASE FOR THE FUNCTION
force_download($url);


// FUNCTION TO FORCE A DOWNLOAD FROM A FILE
function force_download($filename)
{
    // GET THE CONTENTS OF THE FILE
    $filedata = @file_get_contents($filename);

    // SUCCESS
    if ($filedata)
    {
        // GET A NAME FOR THE FILE
        $basename = basename($filename);

        // THESE HEADERS ARE USED ON ALL BROWSERS
        header("Content-Type: application-x/force-download");
        header("Content-Disposition: attachment; filename=$basename");
        header("Content-length: ".(string)(strlen($filedata)));
        header("Expires: ".gmdate("D, d M Y H:i:s", mktime(date("H")+2, date("i"), date("s"), date("m"), date("d"), date("Y")))." GMT");
        header("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT");

        // THIS HEADER MUST BE OMITTED FOR IE 6+
        if (FALSE === strpos($_SERVER["HTTP_USER_AGENT"], 'MSIE '))
        {
            header("Cache-Control: no-cache, must-revalidate");
        }

        // THIS IS THE LAST HEADER
        header("Pragma: no-cache");

        // FLUSH THE HEADERS TO THE BROWSER
        flush();

        // WRITE THE FILE
        echo $filedata;
    }

    // ERROR
    else
    {
        trigger_error("ERROR: UNABLE TO OPEN $filename", E_USER_ERROR);
    }
}

Open in new window

HTH, ~Ray
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 39159945
See the first user comment here about setting up to 'force download' files: http://php.net/manual/en/function.header.php   One of the lines should include the filename to be downloaded.
0
 

Author Comment

by:Jason92s
ID: 39159961
Ok, thanks everyone.  I'm going to close this topic since we've found a way to do it, but I'll open up a new post in PHP since I can't get it to open the ZIP files.  Thanks.
0
 
LVL 79

Expert Comment

by:arnold
ID: 39159965
Zip files should be downloaded not opened.  Your php should stream the data raw.
0

Featured Post

ATEN's HDBaseT Presentation at InfoComm 2017

Hear ATEN Product Manager YT Liang review HDBaseT technology, highlighting ATEN’s latest solutions as they relate to real-world applications during her presentation at the HDBaseT booth at InfoComm 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Build an array called $myWeek which will hold the array elements Today, Yesterday and then builds up the rest of the week by the name of the day going back 1 week.   (CODE) (CODE) Then you just need to pass your date to the function. If i…
If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question