1

I have a directory that contains many sensitive pdf documents. If someone knew the filename, they could simply bypass my login system and view the file just as if it were an image.

If I moved the directory out of the document root how would I show it to the user once they were logged in? I'd need to pull the requested file back into the document root but not sure how to do this.

If there are any other suggestions aside from removing the directory from the root, I'm open to that as well. Thanks.

tukar
  • 13
  • 2

2 Answers2

2

Serve file through PHP so you will always know who/when/what will download.

fabrik
  • 13,717
  • 8
  • 55
  • 70
0

Add in .htacces file following line:

RewriteRule ^(dir_name_1|dir_name_2)/? /error/404 [L]
Matej Baćo
  • 1,282
  • 2
  • 10
  • 12
  • Thanks MatejB. If I use this, when Apache serves the file, won't this stop the file? Or send the user to my 404 page? – tukar Mar 30 '11 at 10:27
  • Yes it will stop the file. You could set some cookie when user loges in inside app and add condition to redirection like this `RewriteCond %{HTTP_COOKIE} !^.*cookie-name.*$ [NC]` – Matej Baćo Mar 30 '11 at 10:36
  • 1
    Solution with PHP is more flexible ;) – Matej Baćo Mar 30 '11 at 10:42