为 PDF 创建安全文件托管服务器

问题描述

我正在开发一个网站，允许客户登录并查看保存在服务器上的各种 PDF.这些 PDF 对客户端来说是唯一的，不应该被未登录的人访问.将文件放到服务器上应该不是问题，我只是不确定如何将它们提供给最终用户.

I'm working to develop a website that allows clients to log in and see various PDFs saved on the server. These PDFs will be unique to the client and should not be accessible by someone who is not logged in. Getting the files onto the server shouldn't be an issue, I'm just not sure on how to serve them to end users.

我已经通过提供来自 SQL 服务器 的数据而不是文件来实现这种事情，所以我不完全确定最有效的方法是什么.

I've implemented this kind of thing with data from SQL servers being served instead of files, so I'm not entirely sure what the most effective way to go about this.

该网站位于 LAMP 上，而我在 PHP 方面的经验最少(但如果框架或其他语言能让这变得更容易，我可以学习它).

The website is on a LAMP and my minimal experience is in PHP (but if a framework or other language would make this easier, I can learn it).

我可能有点不知所措，但我通常是这样，所以任何输入都会很棒.

I'm probably in over my head but I usually am, so any input would be great.

推荐答案

将文件放在 webroot 之外.然后使用 PHP 通过脚本传递文件.这样，没有人可以直接链接到文件并绕过您的控制.(当然要确保只有在验证用户有权检索该文件后执行此操作的脚本).

Put the files outside of the webroot. Then using PHP pass the file though a script. That way no one can link to the file directly and bypass your controls. (Naturally make sure the script that does this only after verifying the user has permission to retrieve that file).

示例 PHP:

<?php
    session_start();
    if (!isset($_SESSION['authenticated'])) {
        exit;
    }
    $file = '/path/to/file/outside/www/secret.pdf';

    header('Content-Description: File Transfer');
    header('Content-Type: application/octet-stream');
    header('Content-Disposition: attachment; filename=' . basename($file));
    header('Content-Transfer-Encoding: binary');
    header('Expires: 0');
    header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
    header('Pragma: public');
    header('Content-Length: ' . filesize($file));
    ob_clean();
    flush();
    readfile($file);
    exit;
?>

这篇关于为 PDF 创建安全文件托管服务器的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持跟版网！