[RESOLVED] Password Protecting PDF for Mag Subscription

[Nibinaear]

I'm producing a magazine website and at the very least the company are looking at having user registration, and from there letting the registered users only access an online pdf of the magazine.

Uploading the pdf is easy, but how do you only let registered users see the pdf file and not everyone?

Note: I don't want to just password protect the pdf, I want to allow only certain users to register and download it, I'm sure password protection of pdfs is possible at the pdf level but that's not what I want.

The other option is to find a way of getting from the pdf to a set of webpages containing the same content as the pdf of the magazine. Obviously the printed form is different to the website form. I've seen a good example of it here:

http://www.nxtbook.com/dal/graduateprospects/grad27/

Daniel

Edited
There seems to be some confusion about what I'm talking about, so I'll just clarify.

I have an online magazine which is called magazine.pdf. Each month this is replaced. I want to restrict the pdf using sessions or cookies so that only registred members can access it. This is a problem because anyone can access a pdf once they know the link to it and this would allow them to circumvent the login process. To avoid this I need a method of protecting the pdf so that only registered members can login and see it.

[PeejAvery]

Remember that if something is on a web server, for the most part, it can be seen as long as you have the exact location.

You can, however, use hashing to disguise the name.

[Nibinaear]

The idea of hashing sounds like a reasonable one as this is a non-commercial magazine they are subscribing to and registration is free.

Daniel

[szpilman]

sorry if i misunderstood ur question... what i got from the question is i think u just need a common user verification, just like what we have in codeguru ? only registered user can reply the post. if that is the case then

have u try it by configuring htpasswd, from apache configuration ?
or
what about creating piece of codes using session to check whether the visitor is valid or not ?
i mean, such this

Code:

if(registered_user) then
    download_file();
else
   warn_user();
end if

CMIIW

[Nibinaear]

No, the problem is that whereever you store the pdf file, that file is available to anyone because it is not part of a webpage. You can restrict access to a webpage, but you cannot restrict access to a file very easily. For example, you have sessions which prevent a user from entering a page, that page has a flash mag on it. We then have a page which links to a pdf, if the user gets this link then they have access to the page. I would restrict access in the apache config file but we are on shared hosting and cannot do this.

[szpilman]

We then have a page which links to a pdf, if the user gets this link then they have access to the page

i think, it depends on what type of links that u give to the user. if u give them a direct link such as :
http://domain/pdf/MarchWeek4.pdf
of course u cannot restrict the user from accessing the page unless u configure the apache.
but, what about this code ! also mixed with the session

THis is file that give the link to pdf <not a direct link>

Code:

...
<a href="http://domain/getfilepdf.php?name=someMagazine.pdf">GET SOME MAGAZINE</a>
...

THis is the file getfilepdf.php

Code:

<?php
session_start();
if(is_registered_user){
   // We'll be outputting a PDF
   header('Content-type: application/pdf');

   // It will be called downloaded.pdf
   header('Content-Disposition: attachment; filename=$name.pdf');

  // The PDF source is in original.pdf
  readfile('$name.pdf');
 }
else{
 echo "SORRY YOU MUST REGISTER FIRST TO SEE THE FILE";
 }
?>

i usually do the above to prevent someone from downloading file from my web using direct link and above codes also can be used to do some verification...

hope this can solve ur problem about

...if the user gets this link then they have access to the page....

'bout the problem

the problem is that whereever you store the pdf file, that file is available to anyone because it is not part of a webpage

maybe u could explain more.. i still didnt get the point...

[cherish]

'bout the problem

the problem is that whereever you store the pdf file, that file is available to anyone because it is not part of a webpage

maybe u could explain more.. i still didnt get the point...

The OP probably meant (and like what PeejAvery mentioned) that files uploaded on a webserver can be accessed by anyone since, basically it is open for the public (anyone) to see/access. For example, you store files for user download in one directory in the server, anyone can see all the files stored there once they know the directory name like in this case.

I might have gotten it wrong too. But if I am correct, one solution is to move your file directory away from your web root. A quote from this tutorial I found (where I got that sample link above):

Preventing direct access

For this example the upload directory where the files are stored is /home/arman198/public_html/examples/upload/files/. Using your browser you see the upload directory by clicking here. This is ( usually ) a bad thing because anyone can see directly the file list and download them all. If you don't want to prevent people from seeing the content of the upload directory you could create an empty file, name it index.html then put that file to the upload directory. This is certainly not the optimal solution because maybe some people will try guessing the files names.

A better approach is to move the upload directory away from your web root. For example, the web root for this site is: /home/arman198/public_html/ to prevent direct listing i can set the upload directory to /home/arman198/upload/.

This way an outsider cannot see directly what's inside the upload directory. For example, even if you go to this url : http://www.php-mysql-tutorial.com/../upload/ you can't see the upload directory

Source: http://www.php-mysql-tutorial.com/up...ile-server.php

Along the same lines, another solution would be to protect the directory where the files for download resides using .htaccess ... here are some useful links about it:
http://www.devwebpro.com/devwebpro-3...ess-Magic.html
http://www.codestyle.org/sitemanager...rors-403.shtml
http://www.ilovejackdaniels.com/apac...with-htaccess/

At least, you have one security level covered - the rest would be up to your PHP code in filtering users which files they can download. This really depends on your own requirements, but one idea I have is to indicate in the DB table holding info for the uploaded PDF files which user level is allowed for that specific file, etc. And ofcourse, your DB table for your users should have a field indicating their user level.

Regards.

[Nibinaear]

I'm loving everyone's enthusiasm for this, thanks for all your help. So php files can access folder's outside the root, but obviously a web browser can't? I've been playing with this idea because it says to do this in the O'reilly php security book to hide important information. Do you still reference other files as though the root didn't exist? For example, I have

localhost/dainsider/public_html/

and

localhost/dainsider/admin/variables.php

If "public_html/index.php" wishes to see the variables.php, does it reference "include_once("../admin/variables.php");" or just plain old "include_once("admin/variables.php");" ?

Also, if magazine.pdf is stored outside of the root, how do I link my visitors to it? Surely they can't get at it!


Also, there seems to be some confusion about what I'm talking about, so I'll just clarify.

I have an online magazine which is called magazine.pdf. Each month this is replaced. I want to restrict access to the pdf using sessions or cookies so that only registred members can access it. This is a problem because anyone can access a pdf once they know the link to it and this would allow them to circumvent the login process. To avoid this I need a method of protecting the pdf so that only registered members can login and see it.

[PeejAvery]

If the filename is the same, you cannot do it without using server-side elements, such as a database or text file. This would record the month and user's access. MySQL database would be your best option.

[cherish]

Sorry it took me a while to reply.

For example, I have

localhost/dainsider/public_html/

and

localhost/dainsider/admin/variables.php

If "public_html/index.php" wishes to see the variables.php, does it reference "include_once("../admin/variables.php");" or just plain old "include_once("admin/variables.php");" ?

Your safest bet is to use absolute file path. But in your example, "../admin/variables.php" is the correct way of referencing variables.php. Omitting the ../ makes the script that references a file assume that you're referring to the same directory where it (index.php) resides (public_html).

Also, if magazine.pdf is stored outside of the root, how do I link my visitors to it? Surely they can't get at it!

Well, the best way to find out is to try and see if it does or doesn't. Besides, instead of making your visitors link directly to your magazine.pdf file, why not link them to a download page that checks first whether a user is logged in before initiating the download of the file? (as shown by szpilman).

I have an online magazine which is called magazine.pdf. Each month this is replaced. I want to restrict access to the pdf using sessions or cookies so that only registred members can access it. This is a problem because anyone can access a pdf once they know the link to it and this would allow them to circumvent the login process. To avoid this I need a method of protecting the pdf so that only registered members can login and see it.

Following along with what I stated above, instead of having a page link to your magazine.pdf file, why not link to a page (let's say authenticate.php) that checks whether this particular user is registered/logged in or not. If this page finds out that the user is registered, it then calls another php script (let's say download.php) that initiates the download. This way, the filepath to your pdf file is kept hidden from the user. If the user is not logged in/registered, then authenticate.php would display a message saying so, and probably ask for the username/password. So even if the user bookmarks authenticate.php (or types this directly in the address bar of the browser, or links to it), your pdf file is safe because authenticate.php will always check first whether they're registered or not; aside from that, only download.php specifically "knows" (or contains) the path to your pdf file. (Hint: you can put download.php in a directory away from your web root for good measure. But read the Downloading section of that article I quoted, and click the download2.php link to give you an idea).

There are other ways to do this, depending on the approach you want to take. PeejAvery's suggestion is another one.

Best regards.

[Nibinaear]

Okay, thanks for that Cherish. The download approach szpilman and you suggest seems to be the best option. This way I can initiate a download rather than view directly online and this will protect the file completely.

Thanks for everyone's help.

Update: I tried szpilman's code and it worked a treat. I put the magazine outside of the root for good measure (I hope that'll work once I upload to the web, localhost at the moment.)

[Nibinaear]

P.s. This has nothing to do with client side scripting and shouldn't have been moved.

[PeejAvery]

I agree. I will report it. When was it moved to client-side?

[bubu]

Lol, you guys tent to complicate things. I see two easy solutions:


Solutuion 1
Apache webserver enables you to protect files and directories with passwords. It's called HTTP Auth. A tutorial on this.

Solution 2
Store your pdf files in database instead of file system. So it will not be avaliable in filesystem. Then in the download page you do simple logic as it was stated above already:
<?php
if (user_logged() and user_can_download_this_mag()) {
start_download_from_database();
}
else {
echo 'Nananana';
}
?>


Solution 2 is best for you because you will be able to control wich user can download what magazine. Also in solution 1, if someone spread the server password in a public forum (for example) everybody will be able to download your magazine and you will never know who was the *******.

[Nibinaear]

Code:

<?
  $site_url = "http://".$_SERVER['SERVER_NAME']."/mysite/";
  
  session_start();
  
  //if we do then is the user already registered?
  if(!isset($_SESSION['id']))
  {
    header("Location:logmein.php");
    exit();
  }
  
  $name="../mag/mag.pdf";

  header('Content-type: application/pdf');
  header('Content-Disposition: attachment; filename=mag.pdf');

  // The PDF source is in original.pdf
  readfile($name);
?>

Well I don't see what's complicated about the above, and you don't have to learn much. Nice idea though, I'll have a look.