Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
Hi - I am building a site where users have to have a login account in order to view and download a variety of (PDF) files.
The login system is a simple database/session system with an include on every page to make sure the user is allowed to be on the page.
My question is: Is there a way of preventing non-logged in visitors from using a link (to a document) to download a file.
Obviously I will have directory browsing turned off, but if a registered user sends them the URL of a file....
It's not that hard if you store the files in an off-web path and serve them via a php script. That script should of course check if a user is logged in prior to passing the file back to the client.
to add even more, you can make the download link invalid after a single use. This involves using the database a bit to store the currently active ID's.
dbevfat, I was wondering about that but i dont know how to serve up files from an outside web directory using PHP. Can you point me in the right direction?
If you have not seen it already, you might want to check out the replies I received in the Theory and Design forum. I was asking the same thing and the repsonses were helful. Here is the link.