PHP: Allow file download to a authorized members only

Question

I have a website and I want that only registered members could download a particular file. For this I have following structure:

In the directory where I am having the original setup file, I created a .htaccess file with:

Order Deny,Allow
Deny from all

And, from a file called download.php, I call this file using:

<?php
$filename = "127.0.0.1/eye/setup/setup.msi";
if(ini_get('zlib.output_compression'))ini_set('zli b.output_compression', 'Off');
header("Pragma: public");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Cache-Control: private",false);
header("Content-Type: application/octet-stream");
header("Content-Disposition: attachment; filename=\"".basename($filename)."\";" );
header("Content-Transfer-Encoding: binary");
header("Content-Length: ".filesize($filename));
readfile("$filename");
exit();
?>

But, the problem is: If anyone knows the exact location of my file, he/she can easily setup a similar PHP file on his/her server, passing $filename as original location. So, how can I rely on this script for security?

Is there any else strategy ?

Answer 1

You can make your directory password protected with the help of htpass in htacess file. With the help of this htpass in htacess

Answer 2

One solution is to keep download folder outside DocumentRoot. And then download.php will just read it using local path:

$filename = "/path/to/eye/setup/setup.msi"; // or build filename using $_GET

Then then this php code would read the content of the desired file from local path and set appropriate content type.