[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Prevent download of files???

Posted on 2014-03-19
8
Medium Priority
?
267 Views
Last Modified: 2014-05-30
Is there a way to prevent a user who has a URL to a file (PDF) from downloading it? I have a site built in PHP. I need to prevent PDF downloads by users who are not logged into the site, but the URLs of PDF documents are getting around.

TIA
0
Comment
Question by:machine_run
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
8 Comments
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 39940808
Would restrict the directory where the PDFs are stored to logged in users only.
0
 
LVL 111

Accepted Solution

by:
Ray Paseur earned 2000 total points
ID: 39940844
You can put the PDF files in a directory or directory tree that is outside of the WWW root.  Then you can have a password-protected script that permits a client to download the PDFs.  The script that permits the downloads can also update a data base to record who downloaded what and when.  If you create the PDF files on the fly, you can even embed the client's name and email address in the footer!

How to password-protect web pages:
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html

How to force a download:
<?php // demo/force_download.php
error_reporting(E_ALL);
ini_set('display_errors', TRUE);
ini_set('log_errors',     TRUE);


// DEMONSTRATE HOW TO CAUSE A FILE DOWNLOAD


// REQUIRED FOR USE WITH THE PHP date() FUNCTIONS
date_default_timezone_set('America/New_York');

// A FILE TO DOWNLOAD - THIS LINK COULD COME IN THE URL VIA $_GET, OR COULD BE GENERATED INSIDE THE SCRIPT
$url = "http://www.IcoNoun.com/demo/short_text_file.txt";

// THE USE CASE FOR THE FUNCTION
force_download($url);


// FUNCTION TO FORCE A DOWNLOAD FROM A FILE
function force_download($filename)
{
    // GET THE CONTENTS OF THE FILE
    $filedata = @file_get_contents($filename);

    // SUCCESS
    if ($filedata)
    {
        // GET A NAME FOR THE FILE
        $basename = basename($filename);

        // THESE HEADERS ARE USED ON ALL BROWSERS
        header("Content-Type: application-x/force-download");
        header("Content-Disposition: attachment; filename=$basename");
        header("Content-length: ".(string)(strlen($filedata)));
        header("Expires: ".gmdate("D, d M Y H:i:s", mktime(date("H")+2, date("i"), date("s"), date("m"), date("d"), date("Y")))." GMT");
        header("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT");

        // THIS HEADER MUST BE OMITTED FOR IE 6+
        if (FALSE === strpos($_SERVER["HTTP_USER_AGENT"], 'MSIE '))
        {
            header("Cache-Control: no-cache, must-revalidate");
        }

        // THIS IS THE LAST HEADER
        header("Pragma: no-cache");

        // FLUSH THE HEADERS TO THE BROWSER
        flush();

        // WRITE THE FILE
        echo $filedata;
    }

    // ERROR
    else
    {
        trigger_error("ERROR: UNABLE TO OPEN $filename", E_USER_ERROR);
    }
}

Open in new window

Please post back if you still have any questions, ~Ray
0
 
LVL 1

Author Comment

by:machine_run
ID: 39940848
Users get an error if they go to the directory itself, but how can one restrict access to contents?
0
Looking for a new Web Host?

Lunarpages' assortment of hosting products and solutions ensure a perfect fit for anyone looking to get their vision or products to market. Our award winning customer support and 30-day money back guarantee show the pride we take in being the industry's premier MSP.

 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 39940851
Do they get an HTTP 403 error?
0
 
LVL 1

Author Comment

by:machine_run
ID: 39940860
404 (Page Not Found) Error when they go to a directory
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 39940864
You can restrict access to the contents by putting the directory outside of the WWW root.  As a result, there will be no URL for any of the contents of the directory.  A script that is inside the WWW root tree (and therefore has a URL) can access the directory to allow a download, but the external clients cannot; they must go through the script.  If that script is password protected, you're relatively safe.

Just remember, no matter what protections you put on your site, once a file has been downloaded, it has been released into the wild.  That's why it may be smart to mark the downloaded files showing who downloaded them.  It may discourage unauthorized distribution.
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 39940875
What Ray suggested is correct.

Here is another reference using .htaccess.

stackoverflow.com/questions/2187200/using-php-apache-to-restrict-access-to-static-files-html-css-img-etc
0
 
LVL 1

Author Closing Comment

by:machine_run
ID: 40101076
THANKS
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today, the web development industry is booming, and many people consider it to be their vocation. The question you may be asking yourself is – how do I become a web developer?
CTAs encourage people to do something specific to show interest in your company, product or service. Keep reading to learn why CTAs should always be thought of as extremely important, albeit small, sections of websites.
This tutorial demonstrates how to identify and create boundary or building outlines in Google Maps. In this example, I outline the boundaries of an enclosed skatepark within a community park.  Login to your Google Account, then  Google for "Google M…
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question