How to protect my PDF file to registered members only?

Hello Lovely Team Members,

Usually, I can easily password protect my html and php pages using sessions.




However, recently, I have uploaded some PDF files.
It seems that anyone have free access to the PDF files without having to login.

So, How do I protect those PDF files to my members only ?


I would try it with:

  1. php-file:
    For members only.
    1.1. echo file_get_contents(PATH) to read the pdf-file and
    1.2. setting pdf-headers: header(“Content-type: application/pdf”);

  2. protect the folder with the pdf-file with .htaccess (file in the folder with the pdf-file):
    Order Deny,Allow
    Deny from all

The PHP code I use for displaying PDFs in a password protected area is:

header("Pragma: public");
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
header("Cache-Control: must-revalidate");
header('Content-type: application/pdf');
header('Content-Disposition: inline; filename="'.$pdf.'"');
header('Content-Length: ' . filesize("pdfs/$pdf"));

That needs the name of the pdf passed in as $pdf (and you may want to change the location from the pdfs folder).

I have code above that in the PDF that tests if the person is logged in before running that code.

By placing the PDFs in a password protected folder that doesn’t have a password or placing them above the public section of your hosting you prevent direct access to them so that they can then only be accessed through the PHP script.

Thank you very much blubb :smiley:

I have protected my folder using your .htaccess code.
Order Deny,Allow
Deny from all

Thank you felgall for the dynamic php script which is perfectly what I needed :smiley:


One issue I am having is that .htaccess does not seem to work on the Windows host I am working with. I don’t need high level (government top secret), but just want an area where certain members can share PDF and probably MS Word files.

If the site was on a Linux server, I know I could use .htaccess to protect the folder with those files. What can I do with a IIS server?

.htaccess has to do with Apache not with Windows and you can have Apache on Windows.

PDF files can be put into a directory having login access to members or PDF may not exist physically but a PHP script can generate it (generation can be fast using some text or some other data source), based on user authorization.

I tried to use .htaccess, and it did not work, so I suspect this setup does not have Apache, or they have .htaccess blocked.

Is there any way I can test for Apache?

This should give you an inkling . :slight_smile:


Plus make sure that .htaccess is not disabled. You can enable .htaccess by having following directive in your main Apache Configuration file.

[I]AllowOverride[/I] [I]All[/I] 

I am unable to open any file ending in php. So I feel sure that the IIS host is not providing any PHP. I always get a 404 error on a PHP file, but renaming it as .html will allow me to open the file, but it does not do anything (as I expected).

So this brings me back to the question: How to secure documents, or folders on a Windows IIS system? I suspect we could ask the host to transfer the site to a Linux server, but for my own education, I think I need to learn how to work with Windows.

You can set the PDF folders rights (CHMOD) to 600 (Owner only) and can put all your files there. And through script you can call the requested PDF file for the members. Now no one else can access the folder and the files in it.

This is starting to get real interesting. I will have to wait until I get home to access the site controls and see how to set rights to 600 for a folder. I can’t seem to see the permissions with Filezilla.

Once I get that done, you say I need a script. How do I keep the average visitor from accessing the script?

This is all new stuff for me.

Find out what server side language(s) your server does support and use the equivalent code written in that language.

For all the users who are not registered with your site, they CAN’T access to any of the PDF.

The next question is regarding the script. Yes you can let the registered users to open / download the pdf files in the secured folder. Like may be a php script that will list the PDF files on a page exclusive for the members, and then members can click any filename to download (through a force download script). Since the listing and force download script will be running as OWNER, so they can access the secured files and can present to the registered users.

I checked and the site supports FrontPage Server Extensions and nothing else. I also noticed that the only database support is Access Database Support.

I am thinking I need to get them to either move their site or upgrade it from the limited features it currently has.

With the limited features this site has what can I do?

I have never had “registered users” so an explanation would help, and how is that done?

Guess I better get up to speed on a lot of things I did not even know existed. :slight_smile:

To use FrontPage extensions you really need to use Expression Web as the editor to update the web pages as it is the only editor that currently understands what Frontpage extensions are.


I tried the 90 day trial of Expression Web, and did not like it. I think I will be pushing for an upgrade to add SSI or a shift to Linux which will have PHP and Apache with that host.

What will happen with the IIS security on the PDF folder we secured if we change to Linux. Will the security be gone and I can then use .htaccess to secure the folder? I suppose we will find out if we switch to Linux.

Can you point me to some helps for SSI? I need to know how to have includes, and will need to figure out how to get some scripts for the secure folder.

SSI basically can only contain HTML that is to be shared between pages. It will not add any server side scripting capability and so will not help with what you are trying to do.

Thx Man