File Download Login Protection with Session


I'd like to protect some files with a session Authentication. Some files can be viewed by users, some not.

I've impelemented a solution with mod_rewrite and readfile(). My problem is that this function will use a lot of ram and the server goes down when more users download files.

I tried this: 1) Pass a file trough the php handler and use the prepend function. It doesn't work because when the prepend php file finished the handler process the file, and in my case the handler was blocked because of invalid ASCII chars. I couldn't manage to stop the handler from processing but output the file. 2) Put the session, ip and the folder name in a temporary file what I tried to check in my nginx.conf to exclude from rewriting. I failed because I was not able to extract only the folder name in nginx into a variable.

How can I solve this problem? Has anyone a suggestion?



If I understand the question correctly, you are trying to create a system that only allows authorised users to view certain files, and other users to view other files.

If my understanding is correct, then I would personally store the files above the root or in a secure location, and then have an access script (such as fetch_file.php) with a unique identifier in the URL (e.g. fetch_file.php?uid=1234).

If the user is authorised to access the file with the unique id of 1234; provide the file from the location details within the database, otherwise deny the request.

This way, the user can not access the file without the correct permissions, as it is stored securely above the root which should not be accessible from the internets.


  • Not all provinces are displayed in gvisGeoChart
  • MIPS assembly - random integer range
  • Qt4: adjust which widget get focused on start
  • Python: BaseHTTPRequestHandler - Read raw post
  • R: use min() within dplyr::mutate()
  • Angular5 Custom Validators for Reactive forms
  • How paginate with Firebase Database?
  • how to merge two linear regression prediction models (each per data frame's subset) into one co
  • java: console application main thread spawns a key listener thread
  • WCF Client not able to negotiate security access with Service running in a different machine
  • Merge objects on shared Key Value Pair with Lodash
  • Normal Query on Cassandra using DataStax Enterprise works, but not solr_query
  • Pause and Resume timer made using handlers
  • Passing a list of parameters into a Python function [duplicate]
  • How do you Authenticate a Logic app microsoft.web/connections connection with code
  • Saved Core Data does not persist after app closes 80% of the time
  • Sending PNG attachment via Android GMail app
  • TortoiseSVN merging a branch to trunk
  • import cv2 doesn't give error on command-Prompt but error on IDLE on Windows 10, Python 3.6.4
  • Scrapy + Selenium + Datepicker
  • Pyinstaller GLIBC_2.15 not found
  • Laravel 5.7: Custom blade template for Maintenance Mode but not 503.blade.php
  • Vue.js 2: Vue cannot find files from /assets folder (v-for)
  • Gitlab: copy project to other git lab repository
  • Inet6Address valid for invalid IPv6 Address
  • Use awk to convert GPS Position to Latitude & Longitude
  • How to fetch asset modification history in hyperledger fabric
  • How to resolve this in PHPUnit where it is asking me to set KERNEL_DIR in my phpunit.xml?
  • Creating 2d platforms using JavaScript
  • Tensorflow Dataset API restore Iterator after completing one epoch
  • How to use Kaminari pagination gem with Sinatra and Mongoid?
  • How to write seo friendly url's using htaccess?
  • Is there a better way for handling SpatialPolygons that cross the antimeridian (date line)?
  • VSTS work items list through REST API
  • How to decleare char *const argv[] in swift [duplicate]
  • Spring Boot fails to start
  • Bind selectedDates Aggregation for Calendar
  • Call Microservice from another Microservice within Docker
  • How to check if object is null in Java?
  • XSLT Transformation to validate rules in XML document