How to allow download a file from only one URL?

Question

I'm looking for a pretty simple PDF-file download protection, but I'm not sure where to begin.

It's a PDF file and I offer the download link on a password protected WordPress page. When someone signs up to my list, they get an email with the password. On the password protected page is the link to the PDF-file

I want only this page (specific URL) to be able to access the file. So link sharing would be impossible, unless you have the password for the page.

Can this be achieved via a htaccess file? Something like this:

<Files *.pdf> 
    order Deny,Allow 
    Deny from all 
    Allow from *SPECIFIC_URL* 
</Files> 

Please help

Thanks...

Answer 1

You can achieve some security, not really what you are looking for, but as temporary placeholder that is very easy to setup, .htaccess with password protection. it will prompt users for password, and you can make htpassword generated on the fly, and given to user. Of course its NOT hassle-free method, but its better than nothing. And you can have own "admin" password that can be written while nobody has the access to file. But as I mentioned, its temporary thing, but it should be easy to setup.

(code from http://www.htaccesstools.com/articles/create-password-for-htpasswd-file-using-php/)

<?php
// Password to be encrypted for a .htpasswd file
$clearTextPassword = 'some password';

// Encrypt password
$password = crypt($clearTextPassword, base64_encode($clearTextPassword));

// Print encrypted password
echo $password;
?>

Answer 2

Well , for each signup you could assign a 'download_state' to the user in database with default value 'working' , and when the user access the protected page Page will check if 'download_state' is still up. If it is php will provide the download link and update 'download_state' to 'expired'

    If (download_state == "working")
{
ServeDownload
Update download_state to 'expired'
}else 
Die("Your link is expired please get a new one")

For serving download you could use the following example

    $file_url = path/document.pdf;
    header('Content-Type: application/pdf');
header("Content-Disposition:attachment;filename='document.pdf'");
    header("Content-Transfer-Encoding: Binary");
    header("Content-disposition: attachment; filename=".$pdfname);
    readfile($file_url);

And in this way pdf file location will be hidden.

Answer 3

I would create php script that check auth and return your pdf with proper headers if auth is ok. And use link to the script on the page instead of direct link to the pdf. Pdf-file could be placed somewhere outside your "web" folder.