.htaccess - Help securing files access with htaccess and php?

Question

I'm working on a site that allows users to purchase digital content and have implemented a method that attempts to serve secure downloads.

I'm using CodeIgniter to force downloads like this:

$file = file_get_contents($path);

force_download("my_file_name.zip", $file);

Of course, I make sure the user has access to the file using a database before serving the download, but I was wondering if there was a way to make these files more secure.

I'm using a some 8-10 letter keys to create the file paths so urls to the files aren't exactly easy to figure out... something like http://mysite.com/as67Hgr/asdo0980/uth89.zip in lieu of http://mysite.com/downloads/my_file.zip.

Also, I'm using .htaccess to deny directory browsing like so: Options All -Indexes.

Other than that... I have no idea what steps to take. I've seen articles suggesting username and password methods using .htaccess, but I don't understand how to bypass the password prompt that would occur using that method.

I was hoping there might be a method where I could send a username and password combination using headers and cUrl (or something similar), but I wouldn't know where to start.

Any help would be hugely appreciated. Thanks in advance!

Answer 1

Make it so the web server does not serve the files under any circumstances, otherwise all the checking is pretty moot. The best way to do that is to put them somewhere outside the webroot. I.e.:

/
  webroot/         <- root web directory, maybe named www or similar
    index.php      <- your app, served normally
    …other serve-able files…
  files/           <- not part of the serve-able webroot dir
    secret_file    <- web server has no access here

Then, if the only way to access them is through your script, it's as secure as you make your script.