I have a website that is group oriented and allows members to upload files within the groups that they are a part of. I am trying to find a way to make sure that only members of that group can download the files that belong to that group. Members must authenticate and be a member of the group to even view the links to the files, but how do i stop someone from just manually typing in the address to the file name in the address bar without .htaccess?

Is there a way to allow only read permissions to localhost and have the php page send the file to authenticated users?

Thank you for any replies.

http://www.webmaster-talk.com/coding...rectories.html

Thank you for the quick reply.

There must be a more secure way of doing this. Whats to stop a bot or program from grabbing all the files at once?

If the URIs are never publicly exposed how will a bot know where they are?

It's relatively simple matter to push files out from any URI without exposing the files actual location.

I see what your saying, but that seems pretty insecure in my opinion. There are some websites out there that offer online hard drive space without .htaccess. I would like to think they have something a little more secure than hiding the URI, or i could be wrong. Even with hiding the URI, being able to download something that could contain sensitive information without authenticating seems to be asking for trouble.

Quote:

Even with hiding the URI, being able to download something that could contain sensitive information without authenticating seems to be asking for trouble.

That's the purpose of using sessions and/or cookies.
If the session/cookies carries the correct information they get the file, otherwise they get told to "go away".

The page that does the authentication also does the download by setting the contenttype and requesting the file, that way ALL files are accessed via /download/?fileref=whatever. The real location of the file is never exposed, all the file refs/URIs are in a database and if needs be can be changed at a moments notice. You can track the downloads to each registered user and the files can be located on any server, anywhere. Which may or may not be the same server as the download page is.