httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Bols <>
Subject [users@httpd] direct link prevention with PHP
Date Fri, 05 Dec 2003 15:46:54 GMT
I'm using PHP 4.3 and APACHE2.0. I have a website that requires people 
to log in before they can download files from my website. A person is 
logged in if there is a session-variable $logged_in set to TRUE.

How can I prevent people from downloading a file (f.e. myfile.doc) 
without being logged in when they know the direct link to the file 

Putting the file in an obscure place by working with random numbers 
( is not a solution for me.

The other solution of using a scriptfile like download.php as a gateway 
to serve the file and restricting all other access to the directory with 
a .htaccess file is also not an option, because this doesn't work 
perfectly in older brwosers that don't handle the headers(Content...) 

I would like Apache to handle this. If one requests a file in a certain 
directory, I want apache to check if the user is logged in or not by 
calling a file like download.php. If he is logged in than the requested 
file is served by apache (not by the download.php file acting as a 
gateway). I was thinking to use mod_rewrite, but I don't think this 
works because it will keep on rewriting the url to go to the 
download.php file. Even if I'm coming from that place. Also using 
HTTP_REFERER is not a good idea because a lot of firewalls prevent this 

Is this simply impossible? Can I use mod_rewrite for this and how? Are 
there other possibilities?

Jan Bols

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message