I have a seirous problem. I'm trying to build a safe environment in which every user has to log before enter the aplication. This login consists in a login and a password, as usual. Also i use sessions in order to control that all users have logged in before visiting the pages.

Inside the aplication the user can upload files to the web in order as a virtual hard drive or can share them with the members of his workgroup. The problem is that i can control that the user has logged in whenever he visits a page with the session_start(), but i can't avoid him downloading any file if he knows the right URL. I mean, i would like to know if there is a way to protect the access to the files.:mad:

Thank You .

Maybe .htaccess will prevent that sort of thing

I've read something about it, but it seems that it only works on Apache and i'm running IIS, and also i don't understand how to use it. Can you help me explaining me how can i use it??

Thank You.

The way I would try to get around this is to place the files on the server that are not under the webserver directory tree. (ie /usr/www/htdocs) and instead place them in a new directory (lie /usr/uploads/USERNAME) then use a database to store the paths to the files and, based on access level for a path, allow them to be included using the include() call.

That's a down and dirty way.

I finally found what i was looking for, now what i do is calling a script called download.php in that script i can control if the session has been started and passing the id of the file i only have to write that:


$filename = "the name of the file";
$path = "the path to the file";

header ("Content-Type: application/octet-stream");
header ("Content-Disposition: attachment; filename=$filename");
header ("Content-Transfer-Encoding: binary");
readfile($path);


Probably i will take the files out of the roo directory for even more security.