Forum Moderators: phranque
i have a directory containing some pdf documents i need to make available to the users of a website (they log on to the site and are fed a cookie). i don't want external users or not logged-on users to be able to link directly to the files.
what i'm thinking of doing is upon request for a file (for instance, /protected/doc.pdf), i would rewrite the url to (/protect.php?d=doc.pdf).
in the protect.php script i would check the cookie, make sure the customer can be granted access to that specific doc.pdf and so on.
just as an additional thought, i would have the pdf files reside in a directory other than /protected/, with the php script mapping to the correct dir.
i would appreciate comments on this scheme and would gladly accept assistance on the mod_rewrite rules needed to accomplish this, if deemed to be plausible at all.
thanks in advance,
lance
Here's my htaccess suggestion:
# Disallow access to htaccess:
<Files .htaccess>
deny from all
</Files>
# If not allowed by default:
Options +FollowSymLinks
# The actual rewrite rule:
RewriteCond %{REQUEST_URI}!^/protected/ [NC]
RewriteRule ^protected\/(.*)\.pdf /secret/get-document.php?doc=$1.pdf [L]
To make it even more secure, i'd let the cookie expire after xy minutes and refresh the timestamp with each request.
i'll implement the code and revert if i find any trouble (not expecting any though).
