so suppose my server is situated in

Then i put personal files file.exe within the files directory within the root server hence normally you are able to download that file by typing this in to the browser

And guess that I've got a php script that first authenticates the consumer after which redirect these to that file.exe download page

eg. that way:


what's the easiest method to

1.) prevent unauthenticated customers from being able to view that file by typing for the reason that URL above And

2.) possess the php script still in a position to serve that file despite 1.) hence authenticated customers should have the ability to download that file on that location

assuming which i make use of the standard Light stack (also I personally use Zend Framework)

Presuming the file isn't absurdly large, this will work:

  • Place the file somewhere outdoors from the web server document root so no browsers could possibly get into it directly.

  • Have your PHP script serve the file to customers if they're authenticated.

  • Make sure to send the right MIME type for that file using header().

When the file is large, you might hit some PHP memory or output limits.

: Suit your file with secrets in database. EG. file.exe = 2fae

1: Let user visit

2/3: See if user has the authority to download that key/file.

3/2: Research in database, match that key with actual file path

4: On download.php, write.

header('Content-disposition: attachment; filename='.$actual_file_path_and_name);
header('Content-type: application/exe'); // optional

It allows user download file.exe without letting him begin to see the actual Link to file.exe. It takes place on download.php.


If you are using Zend Framework you need to really envisage to make use of the built-in solution the framework provide you with and never to make use of simple php script. The very best solution, using ZF, is by using Zend_Session along with Zend_Acl. So you'll set something within the session user which describe the customer role once they login to your website. Then, you are able to restrict accessibility resource using Zend_Acl in line with the role that's occur the session.

I believe that utilizing a php proxy to gain access to the files could be sufficient within this situation, something like:


   /** Load your user assumed $user **/
   $file = '/files/file.exe';

   if (true === $user->exists()) { //do any other acl checks here
       header('Content-Description: File Transfer');
       header('Content-Type: application/octet-stream');
       header('Content-Disposition: attachment; filename="'.$file.'"');
       header('Content-Transfer-Encoding: binary');
       header('Expires: 0');
       header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
       header('Pragma: public');
       header('Content-Length: ' . filesize($file));
   } else {
       throw new Exception('Download restricted to authorized users only');

.htaccess To deny all direct file downloads devote /files/ directory using the following contents

deny from all

You would connect to the file by utilizing /download.php? also it would only download that file when the user is drenched in

Hope that can help