Err Posted January 12, 2010 Share Posted January 12, 2010 I want to protect files in a directory by having the user log into the site first. After they log in, they can click on the link and download the files. The problem I'm having is that as soon the path to the file is known, even people not logged can access them. How can force the user to log in first?I did some searching and came up with rewrite rule using .htaccess RewriteEngine onRewriteRule path/to/where/these/files/live/(.*) /handlerscript.php/$1 That gives me a 500 error and I'm unable to proceed any further. I don't want to use a htaccess password to protect these files. Link to comment Share on other sites More sharing options...
ProblemHelpPlease Posted January 12, 2010 Share Posted January 12, 2010 You could try making the link you send to the client valid for a set period. I use an encyrpted date variable included in the address that basically passes the date and time to the download script which can them determine if the client should be allowed to download the file. Link to comment Share on other sites More sharing options...
jeffman Posted January 12, 2010 Share Posted January 12, 2010 Don't give them a direct link to the files. Give them a link to a script that downloads the files. Each link can have a query string that references the filename, but not the full path. Only the script knows the path. Link to comment Share on other sites More sharing options...
Err Posted January 12, 2010 Author Share Posted January 12, 2010 Don't give them a direct link to the files. Give them a link to a script that downloads the files. Each link can have a query string that references the filename, but not the full path. Only the script knows the path.Ok, I got that far. How can I make a download prompt appear for this? I'm using the header function with the full path to the file to get the download prompt, but I'm guessing there's a more secure way to do this. Link to comment Share on other sites More sharing options...
justsomeguy Posted January 12, 2010 Share Posted January 12, 2010 Send a header to set the content type to "application/octet-stream", read the file data using file_get_contents, you can send a content-length header if you want the user to be able to see download progress, set the filename, and then output the data from the file. That will cause a download box to pop up with whatever filename you chose to use (you can use the original if you want), but the only URL they'll see is that of the download script. Link to comment Share on other sites More sharing options...
Err Posted January 12, 2010 Author Share Posted January 12, 2010 How exactly do you mean output the data from the file? I'm using echo, but I don't get any download prompt and the only thing that appears on screen is "PK". Link to comment Share on other sites More sharing options...
justsomeguy Posted January 12, 2010 Share Posted January 12, 2010 You just use echo to output the data you got from file_get_contents. If you're not seeing a download prompt you're probably not setting the content type. You'll also want to use the content-disposition header to specify that there's a file with a certain filename.http://www.google.com/search?client=opera&...-8&oe=utf-8 Link to comment Share on other sites More sharing options...
Err Posted January 13, 2010 Author Share Posted January 13, 2010 Sweet. I got it. Here's what it looks like, for anyone that's interested: header('Content-Type: application/octet-stream'); header('Content-Disposition: attachment; filename="file.zip"'); readfile('file/file_30.zip'); Thanks to everyone for their help. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.