View previous topic :: View next topic |
Author |
Message |
amathur347 Smarty Rookie
Joined: 14 May 2003 Posts: 7
|
Posted: Tue Dec 09, 2003 2:36 am Post subject: protect files used in my templates |
|
|
Hi ,
I have developed a smarty based website. A major component of it involved user authentication providing restricted access to certain pdf files. I have included links to the pdf files in the template files, access to which is regualted from my athentication script. Everything works great if I have a user who sticks to profile. But, if the user discovers the path to the pdf files, and types it directly on the URL, my authentication script goes to the dogs.
Is there anyway I can avoid this? I tried protecting the directory with there pdf's via htaccess, adding a random user. But this comes into play when the file is accessed normally too.
Basically, the complete authentication drama has ben designed to protect these pdf files, and I have so far been unsuccessful.
Any inputs ??? |
|
Back to top |
|
boots Administrator
Joined: 16 Apr 2003 Posts: 5611 Location: Toronto, Canada
|
Posted: Tue Dec 09, 2003 2:46 am Post subject: |
|
|
Not much you can do from Smarty--this is a webserver level issue, IMO.
If you have a public link that resolves to a public file, then "hiding it" doesn't stop people from finding it necessarily. You need to either institute webserver authentication or you need to put a PHP interface in front of your pdf files -- ie. don't link to the pdf files, but instead to a php script which then loads the file and streams it to the client after setting appropriate headers.
Alternatively, use pdf security so that the pdf files require a password to open.
HTH |
|
Back to top |
|
amathur347 Smarty Rookie
Joined: 14 May 2003 Posts: 7
|
Posted: Tue Dec 09, 2003 2:57 am Post subject: |
|
|
How does a php script 'load' a pdf file? u have some examples i can look into ? |
|
Back to top |
|
boots Administrator
Joined: 16 Apr 2003 Posts: 5611 Location: Toronto, Canada
|
Posted: Tue Dec 09, 2003 3:03 am Post subject: |
|
|
http://php.net/pdf
Take a look at example 2.
Cheers! |
|
Back to top |
|
amathur347 Smarty Rookie
Joined: 14 May 2003 Posts: 7
|
Posted: Tue Dec 09, 2003 4:09 am Post subject: |
|
|
For some reason I cant get it to work. Its returning those shady-unprintable-but-still-printed characters !!
my code is
<?php
$filename='oxygen_s.pdf';
$len = filesize($filename);
header("Content-type: application/pdf");
header("Content-Length: $len");
header("Content-Disposition: inline; filename=oxygen_s.pdf");
readfile($filename);
?> |
|
Back to top |
|
boots Administrator
Joined: 16 Apr 2003 Posts: 5611 Location: Toronto, Canada
|
Posted: Tue Dec 09, 2003 4:17 am Post subject: |
|
|
remember, you have to send the headers prior to sending anything else to the client--even sending a blank line will cause the connection headers to be set to the defaults for your webserver (likely text/html).
See also the notes for http://php.net/readfile |
|
Back to top |
|
amathur347 Smarty Rookie
Joined: 14 May 2003 Posts: 7
|
Posted: Tue Dec 09, 2003 4:24 am Post subject: |
|
|
ya i did that.. nothing is going before that. When something did, i got the error.. header already blah blah. After clearing all thos errors i ended up with a page full of those characters.
check it out
www.prosperitas.com/secure/pdf.php |
|
Back to top |
|
boots Administrator
Joined: 16 Apr 2003 Posts: 5611 Location: Toronto, Canada
|
Posted: Tue Dec 09, 2003 4:37 am Post subject: |
|
|
hmmm...worked for me, though it linked to a word doc. Tried from IE6 on w2k and Epiphany on linux -- no problems. Try clearing your browser cache. |
|
Back to top |
|
amathur347 Smarty Rookie
Joined: 14 May 2003 Posts: 7
|
Posted: Tue Dec 09, 2003 8:59 am Post subject: |
|
|
yes it works. I would have loved it if it did not open up an application though. I would like to open up the file on the same page, so that I can maintain the look and feel of the page.
I am new to the http headers thing, is there a parameter that does not force the file to be downloaded, and simply opens up on an existing page?
Thanks for the help so far btw. I have progressed a lot this night.. just need to take those final steps |
|
Back to top |
|
boots Administrator
Joined: 16 Apr 2003 Posts: 5611 Location: Toronto, Canada
|
Posted: Tue Dec 09, 2003 9:16 am Post subject: |
|
|
Hi again.
I'm glad I was of help
IIR it is the header directive
[php:1:983b2282ae]header("Content-Disposition: inline; filename=oxygen_s.pdf");[/php:1:983b2282ae]
that forces the download. Try not sending that header.
see also: http://www.zend.com/manual/function.header.php
ps. I didn't mention it explicitly before, but obviously this script that streams your file should first authenticate your client This is required since the request will be coming in on a new connection from the client so any authentication you already did will not be available (of course, you can use sessions to manage this, but I suspect you already are doing something--this is just a note for the sake of completeness). |
|
Back to top |
|
amathur347 Smarty Rookie
Joined: 14 May 2003 Posts: 7
|
Posted: Wed Dec 10, 2003 10:52 am Post subject: |
|
|
Hey boots..
did anyone tell u that u r the best ???
Wel incase others failed to recognize u .. i am saying it
It works beautifully
thanks again |
|
Back to top |
|
|