Hide download URL

Question

I'm trying to make the URL of a downloadable PDF document invisible to the user, so that they can't access it from anywhere else. I need to hide the URL from the bottom left of the page (when they mouse over) and the URL from the browser's address bar when they open it. I need it to work on all browsers.

My HTML looks like this:

<a href="http://www.example.com/files/pdf/a34501.pdf">View PDF</a>

And the link should look like this:

View PDF

The reason is the user must provide a code to be able to download their document, but if they can see the URL they could easily download someone else's documents (They only have to change a digit in the "a34501.pdf" part).

I read something about using a JavaScript function to encrypt the URL, or use an external PHP file. However, I don't know how to do that.

Thanks.

Your entire architecture is wrong. You need unique codes per document, not link hiding. Even if you hide the link, someone could relatively easily figure out the url and download to their heart's content. — Mansfield, Jul 08 '13 at 18:48
When people upload them, use salting and the timestamp to make unique links along with the file default name. Also: *Questions must demonstrate a minimal understanding of the problem being solved. Tell us what you've tried to do, why it didn't work, and how it should work.* — Jeff Noel, Jul 08 '13 at 18:48
It sounds like you don't want to use direct links at all, make your server's code read and output the file 1-to-1 upon correct request. — Paul S., Jul 08 '13 at 18:50

score 7 · Answer 1 · answered Jul 08 '13 at 18:57

Hiding the url will baffle the least tech savvy users, but not anyone who is willing to download your files and have a very minimal tech knowledge, if you need to hide your files behind a code (or pay wall) you can use a PHP script that authenticates the user and spits out the corresponding file, a small example is like this:

if($validUser)
{
    $path = $fileName;
    $size = filesize($path);
    $fp = fopen($path, "rb");
    $content = fread($fp, $size);
    fclose($fp);

    header("Content-length: ".$size);
    header("Content-type: application/octet-stream");
    header("Content-disposition: attachment; filename=".$fileName.";" );
    echo $content;
}
exit();

This assumes you have the files physically in the server, but you can modify it if you have them in a database or any other storage medium. Of course, you must first validate if the user have the right to download that file but this is up to you.

Jacob S · Answer 2 · 2013-07-08T19:03:10.240

You can use a php script to provide the document, while still allowing php to authenticate the user's session information/etc.

The process goes like this:

User enters a unique code (after additional authentication required to validate the user).
A unique document link is generated, such as: http://domain/download.php?file=58afg71057ga82157 (example)
download.php validates the user request against stored session information -- if everything checks out, it sends the file header() and passes along the file contents.

This basic file download tutorial provides the very basics of providing a file in this way. You will need to improve upon this basic tutorial, but it should give you an idea of how the process works.

Suggestions:

Use a unique "key" per user (allowing the same user to re-download); or,
A single-use key which only allows a single download, ever; or,
Require user authentication, so that you know whether they should be "allowed" to use the key.
Do not use a "filename.ext" to locate the file to download, either store the name in the session or use a unique identifier stored in a database.
Don't just copy paste an example scripts, they are often extremely insecure.

The link is throwing an error so this answer is almost useless now. This is partly why there are now rules in place and it makes sense to copy code examples directly into your answer or link to a somewhat reliable source like github or aws or something of that nature. — Donovan, Sep 25 '20 at 05:49

Hide download URL

2 Answers2

Linked