为 PDF 创建安全文件托管服务器
我正在开发一个网站,允许客户登录并查看保存在服务器上的各种 PDF
.这些 PDF 对客户端来说是唯一的,不应该被未登录的人访问.将文件放到服务器上应该不是问题,我只是不确定如何将它们提供给最终用户.
I'm working to develop a website that allows clients to log in and see various PDFs
saved on the server. These PDFs will be unique to the client and should not be accessible by someone who is not logged in. Getting the files onto the server shouldn't be an issue, I'm just not sure on how to serve them to end users.
我已经通过提供来自 SQL 服务器
的数据而不是文件来实现这种事情,所以我不完全确定最有效的方法是什么.
I've implemented this kind of thing with data from SQL servers
being served instead of files, so I'm not entirely sure what the most effective way to go about this.
该网站位于 LAMP
上,而我在 PHP
方面的经验最少(但如果框架或其他语言能让这变得更容易,我可以学习它).
The website is on a LAMP
and my minimal experience is in PHP
(but if a framework or other language would make this easier, I can learn it).
我可能有点不知所措,但我通常是这样,所以任何输入都会很棒.
I'm probably in over my head but I usually am, so any input would be great.
推荐答案
将文件放在 webroot 之外.然后使用 PHP 通过脚本传递文件.这样,没有人可以直接链接到文件并绕过您的控制.(当然要确保只有在验证用户有权检索该文件后执行此操作的脚本).
Put the files outside of the webroot. Then using PHP pass the file though a script. That way no one can link to the file directly and bypass your controls. (Naturally make sure the script that does this only after verifying the user has permission to retrieve that file).
示例 PHP:
<?php
session_start();
if (!isset($_SESSION['authenticated'])) {
exit;
}
$file = '/path/to/file/outside/www/secret.pdf';
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename=' . basename($file));
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
header('Content-Length: ' . filesize($file));
ob_clean();
flush();
readfile($file);
exit;
?>
相关文章