how to password protect downloadable pdf files in website

Solution 1

Use MySQL or MySQLite - depending on your preference - and store the link to the PDF in the database. Then use a script such as download.php. Store a password for the file in the database and require the user to enter it before the file is downloaded. If you're unfamiliar with databases you COULD do it all in PHP.

A VERY rough mockup (Without a database, if you are familiar with dbs, adjust accordingly)

HTML Form

<form name="download" id="download" method="post" action="download.php">
  <input type="password" id="password" name="password" />
  <input type="submit" id="submit" value="Download" />
</form>

PHP (download.php)

<?php
     // Get the password
          $pw = md5($_POST['password']);

     // Compare against the stored password
          $valid_pw = md5("your password you want to use");

          if($pw != $valid_pw){
               echo "Error! You do not have access to this file";
          }else{
               header("Location: /path/to/your/file.pdf");
          }
?>

NOTES:

I used an extremely basic method of encrypting the password. I would research better methods if this was my application but for the sake of brevity and ease of understanding, I used a simple md5() hash comparison.

Solution 2

You need to use a php file to feed the file through where the pdf files are stored in a NON PUBLIC folder.

For example, put your pdfs in a non public accessible directory, let's say: /home/pdfs/

And your PHP script in a public accessble directory, let's say: /home/public_html/

Inside the script in the public directory put:

if (isset($_GET('password')) {
die('wrong password');
}

if ($_GET['password'] != 'mypass') {
die('wrong password');
}

$file="/home/pdfs/test.pdf";
header("Pragma: public");
header('Content-disposition: attachment; filename='.$file);
header("Content-type: ".mime_content_type($file));
header('Content-Transfer-Encoding: binary');
ob_clean();
flush();
readfile($file); 

Use GET values to determine the file to download, but to ensure better security only allow .pdf extensions, strip all other periods and slashes to prevent them from traversing the directories of your server and being given important security files containing passwords etc!!! To be even safer still only name your pdf files using characters a-z 0-9 and - or _

And then when you wish to download a file craft the correct URL to the script above, and ensure the pdf file exists in the non public directory.

Solution 3

Follow @rsmith84's tips but make sure you block folder access:

Apache .htaccess file

Deny from all

IIS web.config file

<system.webServer>
    <security>
        <authorization>
            <remove users="*" roles="" verbs="" />
            <add accessType="Allow" roles="Administrators" />
        </authorization>
    </security>
</system.webServer>

Thenh allow delivery only with a PHP file. Verify user and then do readfile('/protectd/file/path') from your protected folder.