PHP - Using Session Variables to Protect .docx Files in the same directory

Question

I created a PHP application that automates the creation of rental documents such as leases, extensions, notices, etc. The application creates and saves the rental documents in a designated directory as a word document.

My application requires the user to login and verifies login using a session variable. My problem is how to protect the /docs/ directory that contains completed rental documents? If someone knew this directory existed, they could simply type it into a browser. I added a blank index.html file to this directory. This keeps the file names from displaying. I'm just wondering what is the best way to protect this directory, since it will contain docs with personal information?

Answer 1

Ryan thanks for your advice. As you suggested, I saved the files outside of the document root and accessed them with this code.

<?php
header('Content-Description: File Transfer');
header('Content-Type: application/msword');
header('Content-Disposition: attachment; filename="'.$_GET['doc'].'"');
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate');
header('Pragma: public');
header('Content-Length: ' . filesize($doc));
readfile("../test/" . $_GET['doc']);
?>

To access the files, I include the filename in the url that links to the above code. EX. http://example.com/test.php?doc=filename.docx