got a website where users view or download docs and pics they uploaded earlier.
let me show you what is working before I present the problem.
user clicks a link to their doc or image and browser opens it in new window.
browser url bar shows something like: mysite.com/files/box/data/278/myimage.jpg
ALL IS WELL, this is working fine.
HOWEVER, I want to add a bit of security to keep users out of other people’s folders.
ie, can’t have them changing url to something like: mysite.com/files/box/data/456/mytaxes2011.pdf
SO, using .htaccess I intercept all requests to /data/ and check authorization. once they get the green light, I open the file and pass it to the browser:
// Open the file for reading
$fp = fopen($_SERVER[‘DOCUMENT_ROOT’].$_SERVER[‘REQUEST_URI’], ‘r’);
// Set mime type to header
header('Content-type: '.mime_content_type($_SERVER[‘DOCUMENT_ROOT’].$_SERVER[‘REQUEST_URI’]));
// Send the contents of the file the browser
fpassthru($fp);
fclose($fp);
HERE IS THE PROBLEM: headers getting screwed up. files do not open properly. not working in IE, FF, or CHROME. both before and after my security mod, identical REQUEST HEADERS are being sent:
Request Headers
Host www.mysite.com
User-Agent Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.8) Gecko/20100722 AskTbHIP/3.15.4.23821 Firefox/3.6.8 (.NET CLR 3.5.30729)
Accept text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language en-us,en;q=0.5
Accept-Encoding gzip,deflate
Accept-Charset ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive 115
Connection keep-alive
Referer https://www.mysite.com/files/box/index.php
Cookie PHPSESSID=90bae8f5ad8ca690beaf8e389b2cc3fb
BUT I’M GETTING DIFFERENT RESPONSE HEADERS BACK. here is the good response - before the mod:
Response Headers
Date Tue, 03 Jul 2012 02:14:02 GMT
Server Apache
Last-Modified Tue, 03 Jul 2012 02:01:07 GMT
Accept-Ranges bytes
Content-Length 169175
Keep-Alive timeout=5, max=75
Connection Keep-Alive
Content-Type image/jpeg
AND here is the bad response - after the mod:
Response Headers
Date Tue, 03 Jul 2012 02:15:36 GMT
Server Apache
Expires Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma no-cache
Keep-Alive timeout=5, max=75
Connection Keep-Alive
Transfer-Encoding chunked
Content-Type image/jpeg
SO PLEASE, what do you make of this? looks like the headers are corrupted or lost by the PASSTHRU??
ANY IDEAS AT ALL PLEASE & THANK YOU !!
