Skip to content
Advertisement

If php session exists, then download file a file from .htaccess locked folder

I have been looking to find a good guide on how to securely download files from a website only if a user session exists.

The files in the download folder should NOT be accessible if a user session doesn’t exist.

Therefore I assume the folder the files are stored in needs to be “locked” by a .htaccess file? Alternatively stored outside the root folder? Which is the best?

If anyone could point me to a good guide/tutorial for this it would be very much appreciated. Thanks

Advertisement

Answer

This is what I ended up doing which worked well. In my scenario I store my files outside of the root folder.

$filename= $_GET['filename'];

// the file path and file you want to send inline
$path = $fileroot."/files/".$filename;

if(!file_exists($path)) {
  die("There has been an error unfortunately");
}

// the file name of the download, change this if needed
$public_name = basename($path);

// get the file's mime type to send the correct content type header
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$mime_type = finfo_file($finfo, $path);

// header("Content-Disposition: attachment; filename=$public_name;");
//Use "attachment" instead of inline if you want direct download instead

// send the headers
header("Content-Disposition: inline; filename=$public_name;");
header("Content-Type: $mime_type");
header('Content-Length: ' . filesize($path));

readfile($path);


User contributions licensed under: CC BY-SA
1 People found this is helpful
Advertisement