NYCPHP Meetup

[Dan Cech]

Brian Dailey wrote:
> Nicholas Hart wrote:
>>
>> Hi,
>>
>> Anyone know a simple way to read-protect a file/library via a php login?  I have a login page which starts a session but there are certain dynamically created result files which I need to protect from potential prying eyes.
>>
>> For example, you can connect to https://www.mptf.org:75/docs/TF2.pdf but I want to find a way to test your login status before permitting you to view this file.  Let me know what you think.  Thanks!

> Feed it through a PHP page.
> 
> Something like:
> 
> <?php
>     if ($_SESSION['Auth'] === true) {
>         // set headers?
>         fread('/not/web/accessible/dir/file.pdf');
>     } else {
>         echo 'Denied, foo.';
>     }
> ?>

Yes, you'll definitely want to set the headers, you can do this based on
the extension or use something like the mime_content_type function or
Fileinfo extension.

Also, you can use an apache RewriteRule to force requests for any
documents you want to protect to go to your php script, something like:

RewriteRule ^(.*\.php)$ - [L]
RewriteRule ^(.+)$ protect.php [E=ORIG_FILE:$1,L]

Will force all requests for non-php files to go to your protect.php
script, where you can grab the requested file using the
$_SERVER['REDIRECT_ORIG_FILE'] variable, send the appropriate
Content-Type header and send the file contents.

If anyone has a more elegant way to achieve this or potential security
gotchas I'd love to hear them!

Dan