Secret download of a file inside the browser with the correct file name

Question

Secret download of a file inside the browser with the correct file name

I am doing some work on a website that has a secure area accessible to users only after they are logged in. In this area there is a page with links to pdf documents that can be downloaded. Physical documents are located outside the root directory of the website. Links to PDF documents look something like this:

?

index.php page = safe zone / loading & amp; file = protected.pdf

Which does the following (note: I know that this is a way to force the download, not open the file inside the browser):

// check security, get filename from request, prefix document download directory and check for file existance then... header('Content-Type: application/pdf'); header('Content-Disposition: attachment; filename="' . basename($file) . '"'); header('Content-Transfer-Encoding: binary'); header('Content-Length: ' . filesize($file)); header('Connection: Close'); set_time_limit(0); readfile($file);

This works well, but in Firefox 3 and Internet Explorer 7 (I have not tested with any other browser) it will not open this file inside the browser, they both show the download dialog (as expected). If I select Open rather than Save, the document loads and Adobe Reader launches outside the browser to render the document.

The problem is downloading the file inside the browser and having the correct default file name when saving.

I would like to open the document in a browser. One way to do this is to use the heading "Content-Disposition: inline;" but that means that I cannot specify the file name (because the browser seems to be ignored by the browser). The problem with this is when I save the document, the default name is the name of the URL, not the name of the pdf document file:

 http___example.com_index.php_page=secure_area_download&file=protected.pdf

How can I get Firefox and Internet Explorer to open the document inside the browser and provide the correct default filename for saving?

+4

security browser file download inline

Stacey Richards Dec 19 '08 at 19:07

source share

5 answers

Try using

 Content-Disposition: inline;

+1

Samuel Dec 19 '08 at 19:24

source share

No, she says that it is not possible to specify a file name when using "Content-disposition: inline". The "file name" is used only when using the "Content-disposition: attachment", as in its first example. This causes the document to load with the correct file name. However, what this solution is trying to achieve is a document made by INLINE, which, when loaded from a browser, uses the correct file name, not the script name.

Is there any other way to specify the file name when using "inline" other than rewriting url? The page I wrote for rendering documents accepts the database identifier, so rewriting will be more difficult, I think (the file name should be requested from the database).

0

Michael Jan 19 '09 at 15:28

source share

Content-disposition:inline can be used with a file name. But only some browsers take over and follow this. The effect is displayed only when you save the file name yourself, the file name that you define using the contents will be indicated.

0

Bimal Poudel Oct 07 '09 at 10:31

source share

You tell him this using Content-disposition: attachment. Try using Content-disposition: inline.

-one

chaos Dec 19 '08 at 19:24

source share

Stacey Richards · Accepted Answer · 2008-12-24 01:10

I finally came up with a work on this issue.

Although RFC 2183 shows that the file name parameter can be used for both the attachment and the Content-Disposition header line, the browser seems to ignore the file name parameter when using the string, but rather tries to determine that the file name should be based on the URL. If the URL does not have a query string, then the portion of the URL that follows the last / seems to be used as the file name.

I changed the links loading secure PDFs to use pretty URLs that don't contain a query string and use mod_rewrite with a .htaccess file to translate these nice URLs to execute the correct script with the right parameters

Old link:

 index.php?page=secure-area/download&file=document.pdf

New link:

 file/secure-area/download/document.pdf

.htaccess:

 RewriteEngine On RewriteRule ^file/secure-area/download/(.*)$ index.php?page=secure-area/download&file=$1 [L]

The script used to actually send the file is the same as I used before (note that the example in the question uses Content-Disposition: attachment, not Content-Disposition: inline, to demonstrate browsers saving the document with the correct file name when not inline).

 // check security, get filename from request, prefix document download directory and check for file existance then... header('Content-Type: application/pdf'); header('Content-Disposition: inline; filename="' . basename($file) . '"'); header('Content-Transfer-Encoding: binary'); header('Content-Length: ' . filesize($file)); header('Connection: Close'); set_time_limit(0); readfile($file);

Now the PDF document opens in the browser and when saving the default file name

 document.pdf

but not

 http___example.com_index.php_page=secure_area_download&file=document.pdf

IE 7 converts spaces in the file name to + and single quotes in% 27 when saved (Firefox does not), I would like to stop this, but for now I am happy with what I have.

Secret download of a file inside the browser with the correct file name

More articles: