Best Practise: How to protect user specific files in a web-folder?

Question

I have a website with different user groups. Each user group has different pages they can access. These pages can contain links to files (documents, pdf, etc.). Each group should now be able to access only their documents in the group-specific folder.

What is the best practise to make this work? Following things came up:

• Generate a Hash of all uploaded files and name the file according to the hash, so that it can't be found by trying and restrict displaying of directory. (Problem: Links can be shared and files would be accessible by public)
• Restrict Access with .htaccess file (Problem: User must type in a password each time and the cms can be linked to the .htaccess file - not dynamic)
• Check if cookie exists with .htaccess eg http://www.willmaster.com/blog/contentprotection/htaccess-cookie.php (Problem: not dynamic if I create new user groups)

What is the best solution for this problem? Is it any of the mentioned?

Answer 1

What I did was wrapping the files in a dynamic script with access control:

if ($userIsLoggedIn)
{
  header('Content-Type: application/pdf');
  header('Content-Transfer-Encoding: binary');
  header('Content-disposition: inline; filename="'.$filenameOfPDF.'"');
  header('Pragma: public');
  readfile($pathToPDF);
}
else echo 'You do not have access';

This is written in PHP. The file itself is stored in a directory which is not accessible from the web.

The only disatvantage is that you would need to do this for every file type. If only access is important you could generalize:

if ($userIsLoggedIn)
{
  header('Content-Type: application/octet-stream');
  header('Content-Transfer-Encoding: binary');
  header('Content-disposition: inline; filename="'.$filename.'"');
  header('Pragma: public');
  readfile($path);
}
else echo 'You do not have access';

But I am sure there are other solutions.