Restricting access to a file

Forum Moderators: coopster

Message Too Old, No Replies

Restricting access to a file

Nutter

5:49 pm on Dec 17, 2004 (gmt 0)

I'm trying to find a good way to restrict access to a temporary directory that holds a PDF report. The PDF is generated by a script and then redirected to. I found this is the only way to do it b/c I needed the filename to be correct, and some sort of IE bug caused the PDF to be named the same as the script when saved; which was not ok. So, the script creates a temp directory (something like /tmp-pdf098098098098/) and then drops the PDF into it.

The user is already logged in from a MySQL table and has a session storing their information. Is there a good, secure, and easy (I know those don't often go together) way to allow that user to access that file, but no one else.

Any temp directories over an hour old are deleted by the script, so the protection doesn't need to last forever.

Thanks,
- Ryan

jatar_k

11:18 pm on Dec 17, 2004 (gmt 0)

do you maintain a SESSION for the logged in user? If so you could verify that data for access. You could also use the username in the filename or dir name to make it a little easier.

Nutter

11:46 pm on Dec 17, 2004 (gmt 0)

Yes, it is in a session. But, how do I use that to limit access to the PDF?

jatar_k

11:49 pm on Dec 17, 2004 (gmt 0)

have a script serve the pdf

if ($_SESSION['username'] == 'therightuser') { 
 // redirect to the pdf using header 
} else { 
 echo 'too bad, so sad'; 
}

Nutter

12:46 am on Dec 18, 2004 (gmt 0)

That's basically what I'm doing now. I'm redirecting to the file already. But, I'm worried that someone could type in the same address and open the file without correct access. I was thinking about some sort of .htaccess / password where I used the PHP to auto-allow the user whose supposed to be there, and no one else had permission. Would this be a good (or possible) solution, and can PHP safely edit the files necessary?

jatar_k

12:51 am on Dec 18, 2004 (gmt 0)

put the pdf outside of the root of the site and include it, then it can't be called directly in the browser.

Nutter

1:00 am on Dec 18, 2004 (gmt 0)

Thanks, that sounds like a great idea. I knew there was a reason I come here :-)