Allowing secure downloads in PHP for websites

Question

I have uploaded some zip files to my server and now want to allow a user to download them if he/she has an appropriate password. I'm coding in PHP and I've made it so a user cannot access the page with the links to zip files unless the proper password has been entered, but by having a link to my zip file the user could just see and in future cases type in the absolute location of the zip file and bypass my password checks. If I change the file permissions on the zip file then I can't have it as a link because the user won't be able to access it. How can I allow the user to get the zip file while still keeping it secure? Any suggestions would be much appreciated.

Answer 1

You need to write code that can hide download links/ the links need to expire and new links should take its place and/or links should change.

You can code it in PHP or use an existing piece of code that exactly does this.

http://sixthlife.net/product/secure-download-links/

Answer 2

Use .htaccess to deny direct access to files. Put this .htaccess file in relevant folder.

Then from php authenticate user and after successful authentication, redirect user to a download.php with file name as a parameter (or even id), then use force download to let them download. This way even if they have direct link to zip file, they will not be able to download the file.

Answer 3

The best way to do this is to mask url.

• user logins
• generate a token based on his login details. some md5 or whatever you decide
• create a download link (eg: download.php) that load the file based on valid token and session and get's the file with file_get_contents().