Serve PDF file only to an authenticated user with PHP

Asked Apr 10 '19 at 10:39

Active Apr 10 '19 at 10:39

Viewed 418 times

I want to serve a PDF file to an authenticated user via PHP.
Only the owner should be able to access this file, since it contains sensible information.

The direct solution would be:

See if the user is authenticated and redirect to the original PDF path.

But this would allow the user to know the path where the pdf files are being stored, and just try to access random pdf names, which is very unsecure.

I thought about a different way, inspired by this question: Hide real path of images in php is possible?

Doing it as follows:

# user visits /pdf-public/whatever
# where the index.php file would be:

<?php

....

if($user_id){

  if(file_exists("../pdf-secret/whatever-" . $user_id.".pdf")){

      header('Content-Type: application/pdf');
      readfile("../pdf-secret/" . $user_id.".pdf");
  }

}

Question:

Is this a secure way?
Does the user have any way to find the real path /pdf-secret/?

asked Apr 10 '19 at 10:39

Álvaro Franz

Yes, that's fine, so long as that pdf-secret folder is outside the web root, and you've used a good authentication system. – Synchro Apr 10 '19 at 12:01
1

@Synchro "so long as that pdf-secret folder is outside the web root". Did not know I can do that. Now I know. thank you. – Álvaro Franz Apr 10 '19 at 13:12

Serve PDF file only to an authenticated user with PHP

0 Answers0