Resolved protecting PDF's

dnnhater · 10-17-2011, 06:34 PM

if this isn't in the right topic, please move

I have added a login to a site, but all of the pdf's are still available (if you know the link) whether you are logged in or not

is there a way to make the pdf directory inaccessible unless one is logged in or do I need to do that with .htaccess?

thanks in advance for any help!

mlseim · 10-17-2011, 07:16 PM

Can you tell how (or if) they are logged in?
Is there a SESSION set that you can check?

Meanwhile, you can serve them the PDF file
without revealing the path or filename.
The log-in check would be at the top of this script ...

PHP Code:


			
<?php
session_start();

// example

// check for the correct SESSION set here.

// you would actually read-in some sort of code from a link or form,
// cross-reference that code with the real PDF path/filename,
// and then serve it to the user.

// for this example, manually enter one of your real PDF path/files ... just for testing.
$file="/files/pdf/mypdffile.pdf";

// what you want the user to see ... name of the PDF that gets served.
$filename = "YourPDF.pdf";

header("Content-Type: application/pdf");
header("Content-Disposition: attachment;filename=$filename");
header("Content-Transfer-Encoding: binary");
header("Cache-Control: ");
header("Pragma: ");
set_time_limit(0);
readfile($file);

?>

This script has to run without anything outputted (echoed) to the display,
or you'll get a "header already sent" error.

.

dnnhater · 10-17-2011, 08:32 PM

I just got off the phone with one of my people in i.t. and they had just suggested the same thing

why can't I ever think of this stuff myself?????

I'll let you know how it works out

Adee · 10-18-2011, 05:35 AM

Quote:

Originally Posted by mlseim

Can you tell how (or if) they are logged in?
Is there a SESSION set that you can check?

Meanwhile, you can serve them the PDF file
without revealing the path or filename.
The log-in check would be at the top of this script ...

PHP Code:


			
<?php

session_start();



// example



// check for the correct SESSION set here.



// you would actually read-in some sort of code from a link or form,

// cross-reference that code with the real PDF path/filename,

// and then serve it to the user.



// for this example, manually enter one of your real PDF path/files ... just for testing.

$file="/files/pdf/mypdffile.pdf";



// what you want the user to see ... name of the PDF that gets served.

$filename = "YourPDF.pdf";



header("Content-Type: application/pdf");

header("Content-Disposition: attachment;filename=$filename");

header("Content-Transfer-Encoding: binary");

header("Cache-Control: ");

header("Pragma: ");

set_time_limit(0);

readfile($file);



?>

This script has to run without anything outputted (echoed) to the display,
or you'll get a "header already sent" error.

.

except any request sent to/from the server can be viewed by the enduser so ultimately you'll still be able to get the link lol

dnnhater · 10-18-2011, 04:26 PM

mlseim:

this worked like an absolute charm - rather than displaying in the browser it forces and open/save option and when I tried to get to the test page (while not logged in) the session settings bounced me right back to the login

mlseim · 10-18-2011, 06:52 PM

Adee ... can you describe, or show us an example of how that is done?
I'm curious how someone might be able to get the path ... something to know in the future.

SlayerACC · 10-18-2011, 07:44 PM

glad I saw this.

Thanks..