PHP restrict access, download after submit only

Question

I want to be able to restrict access of a download only when someone has used the Sign Up form (after submit). The HTML/PHP cannot be accessible through copy/paste or posted link.

Here's what I have so far: Server: The "Downloads" folder on the server has an .htaccess file with

<Files download.pdf>
order deny,allow
deny from all
</Files>

Website: On the form, after submit there's a PHP contact-form-handler that sends the sign-up info to an email address and a redirect to the "Thank You - Here's Your Download html page." I have added on this html page

<META http-equiv="refresh" content="1;URL=http://www.pathtofilehere/signupform.php">
<a rel="nofollow" href="http://www.pathtofilehere/signupform.php"> Get Your Download Now!</a>

The "Thank You - Here's Your Download" page then prompts the automatic download PHP.

<?php
$filename = "download.pdf";
if(ini_get('zlib.output_compression'))ini_set('zli b.output_compression', 'Off');
header("Pragma: public");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Cache-Control: private",false);
header("Content-Type: application/octet-stream");
header("Content-Disposition: attachment; filename=\"".basename($filename)."\";" );
header("Content-Transfer-Encoding: binary");
header("Content-Length: ".filesize($filename));
readfile("$filename");
exit();
?> 

I am on a tester server so I can't move the "Downloads" out of the root. I will move it out of the root once I get this set up. And another problem...the owner of the website doesn't have database set up. So a login wouldn't work at this point. In the meantime...

What I want to happen: The download only be available after "Submit" of the form. Right now, I can access the download through the html page. or the PHP page. I've tried Gateway PHP --> Protected File PHP on the forum and couldn't get it to work. Can I set some sort of parameter, session, to pass through to make this only visible/accessible to the "Signed-Up" persons?

Thanks so much.

Answer 1

The easiest way (without a login of any kind) would be to add a session variable that gets set when the visitor presses submit and checked in the download page for existence.

Just add something like:

session_start();
$_SESSION['submitted'] = 'somevalue';

at the top of the page that handles the submit and:

session_start();
if (!isset($_SESSION['submitted']))
{
  // do whatever you want to do
  die();    // stop further execution
}

$filename = "download.pdf";
if(ini_get('zlib.output_compression'))ini_set('zli b.output_compression', 'Off');
header("Pragma: public");
....

at the top of the download script you posted.

However, as you are talking about signing up, you can also add functionality that allows users to login at a later time to get the file (if the signup is related to a user account anyway). Then you would have your users login and check for a logged in user at the top of the download page.

Answer 2

the global $_POST[] contains particular form values which are submitted through the post method only.

If you wrap your script around with some checks regarding this variable, you might get to a solution.

To be on the safe side, you could render some kind of hash will be submitted also through the form ad compare them with the expected.