httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kyle Dent <>
Subject Re: [users@httpd] direct link prevention with PHP
Date Fri, 05 Dec 2003 16:05:27 GMT
On Fri, 5 Dec 2003, Jan Bols wrote:

> I'm using PHP 4.3 and APACHE2.0. I have a website that requires people
> to log in before they can download files from my website. A person is
> logged in if there is a session-variable $logged_in set to TRUE.
> How can I prevent people from downloading a file (f.e. myfile.doc)
> without being logged in when they know the direct link to the file
> (
> Putting the file in an obscure place by working with random numbers
> ( is not a solution for me.
> The other solution of using a scriptfile like download.php as a gateway
> to serve the file and restricting all other access to the directory with
> a .htaccess file is also not an option, because this doesn't work
> perfectly in older brwosers that don't handle the headers(Content...)
> correctly.


> I would like Apache to handle this. If one requests a file in a certain
> directory, I want apache to check if the user is logged in or not by
> calling a file like download.php. If he is logged in than the requested
> file is served by apache (not by the download.php file acting as a
> gateway). I was thinking to use mod_rewrite, but I don't think this
> works because it will keep on rewriting the url to go to the
> download.php file. Even if I'm coming from that place. Also using
> HTTP_REFERER is not a good idea because a lot of firewalls prevent this
>  information.
> Is this simply impossible? Can I use mod_rewrite for this and how? Are
> there other possibilities?

If you don't want to do this with the actual authentication
mechanisms available for the web server, you can do it within
your script. Place the protected file outside of your web
accessible files. The link to the file should actually be a link
to your script. When your script is invoked, it checks the
authentication status. If it checks out, your script opens the
file, sends the correct MIME headers followed by the contents of
the file.


The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message