Solved

Prevent download of files???

Posted on 2014-03-19
8
248 Views
Last Modified: 2014-05-30
Is there a way to prevent a user who has a URL to a file (PDF) from downloading it? I have a site built in PHP. I need to prevent PDF downloads by users who are not logged into the site, but the URLs of PDF documents are getting around.

TIA
0
Comment
Question by:machine_run
  • 3
  • 3
  • 2
8 Comments
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 39940808
Would restrict the directory where the PDFs are stored to logged in users only.
0
 
LVL 108

Accepted Solution

by:
Ray Paseur earned 500 total points
ID: 39940844
You can put the PDF files in a directory or directory tree that is outside of the WWW root.  Then you can have a password-protected script that permits a client to download the PDFs.  The script that permits the downloads can also update a data base to record who downloaded what and when.  If you create the PDF files on the fly, you can even embed the client's name and email address in the footer!

How to password-protect web pages:
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html

How to force a download:
<?php // demo/force_download.php
error_reporting(E_ALL);
ini_set('display_errors', TRUE);
ini_set('log_errors',     TRUE);


// DEMONSTRATE HOW TO CAUSE A FILE DOWNLOAD


// REQUIRED FOR USE WITH THE PHP date() FUNCTIONS
date_default_timezone_set('America/New_York');

// A FILE TO DOWNLOAD - THIS LINK COULD COME IN THE URL VIA $_GET, OR COULD BE GENERATED INSIDE THE SCRIPT
$url = "http://www.IcoNoun.com/demo/short_text_file.txt";

// THE USE CASE FOR THE FUNCTION
force_download($url);


// FUNCTION TO FORCE A DOWNLOAD FROM A FILE
function force_download($filename)
{
    // GET THE CONTENTS OF THE FILE
    $filedata = @file_get_contents($filename);

    // SUCCESS
    if ($filedata)
    {
        // GET A NAME FOR THE FILE
        $basename = basename($filename);

        // THESE HEADERS ARE USED ON ALL BROWSERS
        header("Content-Type: application-x/force-download");
        header("Content-Disposition: attachment; filename=$basename");
        header("Content-length: ".(string)(strlen($filedata)));
        header("Expires: ".gmdate("D, d M Y H:i:s", mktime(date("H")+2, date("i"), date("s"), date("m"), date("d"), date("Y")))." GMT");
        header("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT");

        // THIS HEADER MUST BE OMITTED FOR IE 6+
        if (FALSE === strpos($_SERVER["HTTP_USER_AGENT"], 'MSIE '))
        {
            header("Cache-Control: no-cache, must-revalidate");
        }

        // THIS IS THE LAST HEADER
        header("Pragma: no-cache");

        // FLUSH THE HEADERS TO THE BROWSER
        flush();

        // WRITE THE FILE
        echo $filedata;
    }

    // ERROR
    else
    {
        trigger_error("ERROR: UNABLE TO OPEN $filename", E_USER_ERROR);
    }
}

Open in new window

Please post back if you still have any questions, ~Ray
0
 
LVL 1

Author Comment

by:machine_run
ID: 39940848
Users get an error if they go to the directory itself, but how can one restrict access to contents?
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 39940851
Do they get an HTTP 403 error?
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 1

Author Comment

by:machine_run
ID: 39940860
404 (Page Not Found) Error when they go to a directory
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 39940864
You can restrict access to the contents by putting the directory outside of the WWW root.  As a result, there will be no URL for any of the contents of the directory.  A script that is inside the WWW root tree (and therefore has a URL) can access the directory to allow a download, but the external clients cannot; they must go through the script.  If that script is password protected, you're relatively safe.

Just remember, no matter what protections you put on your site, once a file has been downloaded, it has been released into the wild.  That's why it may be smart to mark the downloaded files showing who downloaded them.  It may discourage unauthorized distribution.
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 39940875
What Ray suggested is correct.

Here is another reference using .htaccess.

stackoverflow.com/questions/2187200/using-php-apache-to-restrict-access-to-static-files-html-css-img-etc
0
 
LVL 1

Author Closing Comment

by:machine_run
ID: 40101076
THANKS
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
I've been asked to discuss some of the UX activities that I'm using with my team. Here I will share some details about how we approach UX projects.
The viewer will the learn the benefit of plain text editors and code an HTML5 based template for use in further tutorials.
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now