is it possible to authenticate a pdf download?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
sametch
Forum Newbie
Posts: 9
Joined: Mon Dec 20, 2004 4:53 am

is it possible to authenticate a pdf download?

Post by sametch »

I am creating a website with information that is available to download by PDF.

Users will log in to an "account" area and depending upon who they are different PDF downloads will be made available.

The problem is once the directory containing the downloads is known, users could guess at the download filenames.

Is there any way that PHP can pass a username and password to a directory protected with .htaccess? If there is I could create different folders and once a user logs into to their "account" area in PHP I could record their username and password and direct them to a folder that is protected by .htaccess without them having to login again!

If you know what I mean!
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

why not store the pdf's off somewhere else, and use a downloader script? If the pdf's were stored outside the document root, then the files can't be downloaded directly via guessing or any other form, they'd require access to the server's file system.
sametch
Forum Newbie
Posts: 9
Joined: Mon Dec 20, 2004 4:53 am

Post by sametch »

feyd

I am not entirely sure what you mean by a "downloader script" When you say somewhere out of reach I figure you mean somewhere above the root in the server directory structure.

:?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

a downloader script is a script you link through to fetch something you wish to download. You request xyz from it, it returns the file corresponding to xyz. It does not give the path information, just returns the file itself, along with some additional headers.
sametch
Forum Newbie
Posts: 9
Joined: Mon Dec 20, 2004 4:53 am

Post by sametch »

feyd

I think this is taking me beyond my current knowledge of PHP could you give me any advice on what sort of functions I need to use to create a "downloader script"
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

your searching powers will be needed... but you don't need that much of them, because we have talked quite often about this type of problem in this forum..
Post Reply