Opening a file in a new window! Pls Help

[Bernini]

Hi

I have several documents which are only viewable by limited people. The intranet i have created opens these documents (word, excel etc etc) in a new window! The problem being that the document is opened through the header function therefore the url will be cached (ie.

http://intranet/docs/mydoc.doc)

which can be later be accessed directly!!

Is there a way to eliminate this! any ideas are most welcome!

Regards
B

 

[Olavxxx]

You can stream the contents via a php script, that hides the source.

Olav Alexander Mjelde

http://www.volvo-power.net

Admin & Webmaster

 

[jpadie]

i'd recommend having the url as a php page that checks the user permissions before downloading the real file.

hope the code below helps
Justin

//php download function

//lookup database to check authorisation from client
// 

if ($authorised)  //assume you set an authorised flag called $authorised
{ 
   $path = ""; //path to filename
   $filename = "";// filename to download
   if (file_exists($filename))
   {
     $size = file_size($path.$filename);
     $fd = fopen($path.$filename,"rb");
     header("Cache-Control: no-cache, must-revalidate");
     header("Pragma: no-cache");
     header("Content-type: application/octet-stream"); //forces download rather than display in browser window
     header("Content-length: $size)";
     fpassthru($fd);
   }
   else
   { 
     die("file does not exist");
   }
   
}
else
{
  die("you are not authorised to download this file");
}

 

[Olavxxx]

You can also check referrer btw.

Olav Alexander Mjelde

http://www.volvo-power.net

Admin & Webmaster

 

[Bernini]

Thanks guys!

I will check them out soon and let you know the outcome!


Regards
B

 

[Olavxxx]

ps. if you go for the streaming option, you can do:

page1 -> page2

make page1 generate a "type text, as seen in the picture above". If input is ok, set session variable to something.

then on page2, check if the session variable is something.
If not, stream them something like a picture, telling them "I dont like leechers" or something like that.

ps. I made a script that generates the links and stores a session variable. I think I put the code on this forum, but I cant remember what the thread was named.

I guess you however can search in the forum!
If you find it, I would like you to post the link here

I'm on a very slow dialup now, as well as I have to go to bed in an hr. so I'm off the internet for now.

Good luck!

Olav Alexander Mjelde

http://www.volvo-power.net

Admin & Webmaster

 

[tweenerz]

I had a similiar problem and came up with a slick solution (but you have to be able to modify and use htacess files). This is especially useful if you have a bunch of links already established and you don't want to change them.

Basically you create an .htacess file to redirect all requests for a word doc to a particular page. this works best if you have all the word docs in a specific directory (where you will place the .htacess file). Below is the code in the htaccess file:

RewriteEngine On
RewriteCond %{REQUEST_URI} \.doc$
RewriteRule (.+) http:\/\/%{HTTP_HOST}\/path\/to\/your\/php\/session\/validator\/page\/download\.php?file=$1

Then in your download.php page do what jpadie suggested above, but simply substitute $filename for $_GET["file"]. I would put some validation above it to ensure no one tries to get a file you don't want them to. The only thing I would add to jpadie's script is a header element to make it an attachment so you can change the filename - forcing the browser to select the correct program to open it:

//php download function

//lookup database to check authorisation from client
//

if ($authorised)  //assume you set an authorised flag called $authorised
{
   $filename = preg_replace('|\.\.\/|','',$_GET["file"]); //just in case
   if (file_exists($_SERVER["DOCUMENT_ROOT"]."/$filename))
   {
     $size = file_size($filename);
     $fd = fopen($filename,"rb");
     header("Cache-Control: no-cache, must-revalidate");
     header("Pragma: no-cache");
     header("Content-type: application/octet-stream"); //forces download rather than display in browser window
     header("Content-length: $size)";
	header("Content-Disposition: attachment;filename=something.doc\r\n");
     fpassthru($fd);
   }
   else
   {
     die("file does not exist");
   }
   
}
else
{
  die("you are not authorised to download this file");
}

Obviously, you can play with the path names, filenames, etc. to make it customizable to your situation. If you can't crate the .htaccess file, then use jpadie's, but add the attachment header line to it. You will have to change all you links that go directly to the word docs to go this download page. With either one of these options, you can place the files in a dir outside the web root for better security so they can't be accessed directly.