I'm using PHP 4.3 and APACHE2.0. I have a website that requires people
to log in before they can download files from my website. A person is
logged in if there is a session-variable $logged_in set to TRUE.
How can I prevent people from downloading a file (f.e. myfile.doc)
without being logged in when they know the direct link to the file
(http://www.mysite.com/somedir/myfile.doc)?
Putting the file in an obscure place by working with random numbers
(http://www.mysite.com/13ds5fd1g/myfile.doc) is not a solution for me.
The other solution of using a scriptfile like download.php as a gateway
to serve the file and restricting all other access to the directory with
a .htaccess file is also not an option, because this doesn't work
perfectly in older brwosers that don't handle the headers(Content ...)
correctly.
I would like Apache to handle this. If one requests a file in a certain
directory, I want apache to check if the user is logged in or not by
calling a file like download.php. If he is logged in than the requested
file is served by apache (not by the download.php file acting as a
gateway). I was thinking to use mod_rewrite, but I don't think this
works because it will keep on rewriting the url to go to the
download.php file. Even if I'm coming from that place. Also using
HTTP_REFERER is not a good idea because a lot of firewalls prevent this
information.
Is this simply impossible? Can I use mod_rewrite for this and how? Are
there other possibilities?
Thanks
Jan Bols