Secure file access

I realise that if a file (e.g. a PDF) is sitting on a server (apache Linux) and i share the link to it's location - you can effectively access/download it with out any extra security.

Is there anyway (perhaps with a php session) to prevent viewing or accessing a file unless the php session is active?
dev09Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ray PaseurCommented:
Yes.  This article shows how to secure a web page, using PHP client authentication.  It uses the PHP session.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html

The files you want to secure need to be placed in a directory that is not "browsable."  Such a directory might be placed somewhere outside of the web root directory tree.  The directory will be usable by PHP scripts, but will not be accessible via a URL.  The directory structure will look something like this.  The public_html is the web root, and URLs are resolvable there.  Since the secret directory is not in the web root directory tree, there can be no URLs that point to the files.  The PHP scripts running in public_html can access the secret directory with notation like ../secret/
account
|
|_ secret
|
|_ public_html
   |
   |_ index.php
   |
   |_ images
   |
   |_ {etc...}
   

Open in new window

There is the matter of coordinating which clients are allowed to access which files in a secret directory like this one.  That is probably best handled via a database table that associates client ids with the file paths into the secret directory.  The PHP script that allows access to secret first checks to see that the client is logged in (using the access_control() function or similar), then checks the database table to see which files are associated with this particular client.

The PHP script that allows access to secret can use readfile() or similar functionality to present the files to the authorized clients.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dev09Author Commented:
Thanks, perfect answer!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.