You need to store your PDFs outside the web tree and then access and
distribute them through a script that does the user authentication ...
in pseudo-code that would look like this:
Check Authentication
If !Auth ... send to login
Check for proper file request (name/id/whatever)
If !Proper ... send error
If AllOK
Open file requested
Send appropriate headers for filetype
Send appropriate headers for filename/inline/attachment
Send Data
Close file
Script End
Hank
On Sun, Nov 25, 2001 at 03:54:59PM -0400, Miles Thompson wrote:
> Sebastian,
>
> I believe I have to do what you do, but from your cryptic msg I've not been
> able to figure it out.
>
> We have a subscription site, and if a subscriber wants a PDF, the link
> which requests it checks for a session cookie. If it's not set the user is
> directed to a logon script which checks username/password against a
> database and sets the session cookie if everything is OK. It automatically
> redirects to the calling script, and because the session id is now present
> the PDF can be accessed.
>
> To my horror, I discovered on Friday that if I just type in the URL with
> the name of the PDF it's delivered with no checking at all. I have to move
> them to a safe place, either outside the web tree or to a directory
> protected by htaccess. This is where I'm stuck.
>
> If I use .htaccess, I don't want to maintain a separate .htaccess file in
> addition to the subscriber table in the database. Can I set have my logon
> script set an Apache variable that will give access to the protected
> directory which store the PDf's?
>
> Or do they have to be passed? If so how?
>
> Would that mean that I'd need only one or a few username/password pairs in
> htaccess?
> or
> Is htaccess (or Apache's security) somehow satisfied by setting the
> variables?
>
> Regards - Miles Thompson
>
> At 01:19 PM 10/19/2001 +0200, you wrote:
> >Hi George
> >
> >I had the same problem a while ago.
> >The only solution i found was to change the link to :
> >www.blabla.com/pdffile/test.pdf
> >test.pdf does not exist, but
> >in /pdffile/ there is a .htaccess which redirects the 404 to the php
> >script that reads/generates the pdfs. And for my purpose checks if user
> >is
> >authorized to get these files.
> >
> >sebastian
> <George's part is snipped, as it doesn't matter to me if the filename is
> preserved.>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
--
Hank Marquardt <[EMAIL PROTECTED]>
http://web.yerpso.net
GPG Id: 2BB5E60C
Fingerprint: D807 61BC FD18 370A AC1D 3EDF 2BF9 8A2D 2BB5 E60C
*** Web Development: PHP, MySQL/PgSQL - Network Admin: Debian/FreeBSD
*** PHP Instructor - Intnl. Webmasters Assn./HTML Writers Guild
*** Beginning PHP -- Starts January 7, 2002
*** See http://www.hwg.org/services/classes
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
