Welcome to WebmasterWorld Guest from 188.8.131.52
Can Apache change the name of the served file?
User clicks on a link
PHP then gets the file's alias name (realFileName.pdf) from the database and redirects to the newly created location
this would allow a bad guy to attempt to guess typical names and access them before they get deleted
Why doesn't the link point to the desired URL in the first place? Or did you mean "rewrites"?It doesn't at first, but only does after the PHP redirects (my original post left out half the story and I am sure was misleading). It is PHP which redirects, and not Apache.
If it's a security issue, it would be better to handle it as such, by requiring some type of authentication. Security-through-obscurity has its uses, but it's certainly not the right approach for all situations.Yes, it is a security issue, and yes, I agree Security-through-obscurity is not my best approach. But how do I provide security for this scenario? Requiring the user to authenticate the application script first and then authenticate an Apache log-in second is not an option. How do I allow the user to authenticate once in the application, and then be authorized to download files from the Apache server without having to re-authenticate?