Brian Dailey wrote:
> Nicholas Hart wrote:
>>
>> Hi,
>>
>> Anyone know a simple way to read-protect a file/library via a php login? I
>> have a login page which starts a session but there are certain dynamically
>> created result files which I need to protect from potential prying eyes.
>>
>> For example, you can connect to https://www.mptf.org:75/docs/TF2.pdf but I
>> want to find a way to test your login status before permitting you to view
>> this file. Let me know what you think. Thanks!
> Feed it through a PHP page.
>
> Something like:
>
> <?php
> if ($_SESSION['Auth'] === true) {
> // set headers?
> fread('/not/web/accessible/dir/file.pdf');
> } else {
> echo 'Denied, foo.';
> }
> ?>
Yes, you'll definitely want to set the headers, you can do this based on
the extension or use something like the mime_content_type function or
Fileinfo extension.
Also, you can use an apache RewriteRule to force requests for any
documents you want to protect to go to your php script, something like:
RewriteRule ^(.*\.php)$ - [L]
RewriteRule ^(.+)$ protect.php [E=ORIG_FILE:$1,L]
Will force all requests for non-php files to go to your protect.php
script, where you can grab the requested file using the
$_SERVER['REDIRECT_ORIG_FILE'] variable, send the appropriate
Content-Type header and send the file contents.
If anyone has a more elegant way to achieve this or potential security
gotchas I'd love to hear them!
Dan
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
