I'm working on a PHP web application that includes a members-only downloads area.
1.) What is the best way for non-members from directly access the downloads directory and downloading the files
2.) What is the best way for preventing them from ever discovering the actual directory.
I'm assuming that my first step should be to make the directory name a bunch of random values?
Put the files above the web root or if you don't have access to do that then put them in a password protected directly that has no passwords defined for access. Then load the files via a script that first checks that the person is logged in as a member.
On you pages you will just want to initiate session first thing and then if not logged in, send header location back to login. From there once you know they are logged in then you do the system felgall described.
This topic is now closed. New replies are no longer allowed.