I have been looking to find a good guide on how to securely download files from a website only if a user session exists.
The files in the download folder should NOT be accessible if a user session doesn’t exist.
Therefore I assume the folder the files are stored in needs to be “locked” by a .htaccess file? Alternatively stored outside the root folder? Which is the best?
If anyone could point me to a good guide/tutorial for this it would be very much appreciated. Thanks
Advertisement
Answer
This is what I ended up doing which worked well. In my scenario I store my files outside of the root folder.
$filename= $_GET['filename'];
// the file path and file you want to send inline
$path = $fileroot."/files/".$filename;
if(!file_exists($path)) {
die("There has been an error unfortunately");
}
// the file name of the download, change this if needed
$public_name = basename($path);
// get the file's mime type to send the correct content type header
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$mime_type = finfo_file($finfo, $path);
// header("Content-Disposition: attachment; filename=$public_name;");
//Use "attachment" instead of inline if you want direct download instead
// send the headers
header("Content-Disposition: inline; filename=$public_name;");
header("Content-Type: $mime_type");
header('Content-Length: ' . filesize($path));
readfile($path);