Automatic Download of Files using application/save on Windows XP SP2 Browsers

Chris Lobdell

Hey, everyone.
For the past two years, we have offered files for download through a
secure website. Users, after clicking on a link, are redirected to a
PHP page that passes the appropriate header information to the user
and inquires if that user wishes to download the file.

A sample of that code is below:

header('Content-Type: application/save');
header('Content-Disposition:attachment; filename="'.$file_path .'"');
header('Content-Transfer-Encoding: binary');
header('Content-length: ' . filesize($full_file_path));
readfile($full_file_path);

However, with the enhanced security now available in Windows XP SP2,
users are no longer prompted to download the file. In fact, Windows
XP SP2 not only suppresses the download but will not even present the
end user with an option to download the file. Has anyone else
encountered this type of situation? If so, is there a programmtic
solution to, at the very least, prompt the user to download the file
without requiring the user include the website as one of his/her
trusted websites.

Thanks,
Chris

Jul 17 '05 #1

John Dunlop

Chris Lobdell wrote:

[ ... ]

header('Content-Type: application/save');
Sending application/save is not appropriate; using non-
registered media types is discouraged by the spec which,
given the information you provided, you're otherwise
adhering to. If you must make them up, prefix 'x-'. Why
make them up?
header('Content-Disposition:attachment; filename="'.$file_path .'"');
I'm not convinced if C-D:attachment has a place on the WWW.
Is it the provider's job to indicate that the presentation
of a resource be 'contingent upon some further action of the
user' (RFC2183 sec. 2.2)? I don't see much point in either
the inline or attachment disposition types. Perhaps an
undefined disposition type together with a filename
parameter have some use though.
header('Content-Transfer-Encoding: binary');
Now I'm thinking this isn't for the WWW, because RFC2616
doesn't define a CTE header. What did you mean by this?
header('Content-length: ' . filesize($full_file_path));
readfile($full_file_path);

However, with the enhanced security now available in Windows XP SP2,
users are no longer prompted to download the file. In fact, Windows
XP SP2 not only suppresses the download but will not even present the
end user with an option to download the file. Has anyone else
encountered this type of situation? If so, is there a programmtic
solution to, at the very least, prompt the user to download the file
without requiring the user include the website as one of his/her
trusted websites.

Stop prompting. What made you want to prompt anyway?

--
Jock

Jul 17 '05 #2

outre2001

I'm having the same problem. Nothing happens after initiating download.
Here's the code:

<?php
if (isset($file)) {
$len = filesize($file);
$filename = basename($file)

//Begin writing headers
header("Pragma: public");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Cache-Control: public");
header("Content-Description: File Transfer");
header("Content-Type: application/pdf");
header("Content-Disposition: attachment; filename=$filename");
header("Content-Transfer-Encoding: binary");
$fh = readfile("$filename");
fpassthru($fh);
exit;
}
?>

to see it in action (or rather inaction) go to:
http://www.chachasupermarket.com/contact.php

hover over products and click on Cataloque Download

Apr 30 '06 #3