Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

I have a typical MVC based website, and I\'d like to give some registered users

ID: 651900 • Letter: I

Question

I have a typical MVC based website, and I'd like to give some registered users the abillity to extract data from the database (in a variety of formats). The workflow is very simple:

User logs in,
User clicks export,
A file is generated,
User downloads the file.
I'm trying to figure out a way to secure the last step and limit access to the file. In order for the user to be able to download the file, it should be in a publicly accessible folder. That, however, means that the file is accesible to everyone else that has access to its full url.

I thought of a few possible solutions:

Email the export file

Instead of having the user download the file, I could simply email it to their email (the one they used to register on the site). This seems like a decent option when the export files are small, but I don't think it'll be optimal for larger files.

.htaccess magic

I could automagically generate an .htaccess in the export dir that would only let the user who requested the export access it. Also a decent option, but it's webserver specific and IP based. I don't know if Apache will always be the webserver of choice for the project, and I'm not sure an IP based solution is actually secure.

Store the export file in a private folder and have the user fetch it through ftp

Secure, but not particularly user friendly.

All my options seem to have problems, and I'm at that point where I'm completely stuck and can't shake the feeling I'm missing something obvious. Am I? Is there a better workflow?

I'm more interested in a high level overview than technical details, the project is still in its early days and technical requirements haven't yet stabilized (e.g. we may not use Apache after all). The project is build in PHP, but I don't think that matters (does it?).

Thanks.

Explanation / Answer

You could serve the file via your PHP script, which checks if the user is authentificated.

E.g. pseudocode

if session.user is loggedIn
filename = url.filename
if filename belongs to session.user
fetchfile(filename)
else
"you are not authorized to download this file"
else
"please log in"
so only the user requested the export is able to download it. If another user gets the url he cannot download anything.

Related Questions

I have a soap film (index of refraction 1.33) which is illuminated by light of w
Question #1517310
I have a software that reads from a file. Each object in the software takes 7 in
Question #654935
I have a solution of sugar water at a concentration of 0.55 molar. place this su
Question #533255
I have a solution to this problem that is very similar to yourwork. However, it
Question #1742701
I have a space for computers secured with a simple deadbolt. Someone keeps comin
Question #657876
I have a speech Plan form to fill out on the Topic Minor cuts wound dressing. Ca
Question #3505156
I have a spreadsheet that I enter data in daily. Right now I am in the month of
Question #3549757
I have a spreadsheet that looks like this: I need to have a calendar that shows
Question #3564173
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
I have a txt file from which I need to draw data and use it to plot the path and
Next
I have a use case where I need to create say two javascript objects & use their

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.