I need to display on my website media files. For pictures no problem, but for .mht I use iframe and for docx,xlsx,pdf I use google viewer. The display occurs in a session protected page. The files are in a folder protected with htaccess:
order deny,allow
deny from all
allow from 127.0.0.1
By doing this way the iframe and the google viewer fails to access the files as they aren't authorized.
One solution I was thinking would be to detect user ip and add following rules to the htaccess:
allow from google.com
allow from 'user_ip'
But anyone with a google compute engine account could sneak in.
I could use rewrite engine:
RewriteEngine On
RewriteRule ^myfiles/([^/]*)^.pdf$ /index.php?file=$1& [L]
Options All -Indexes
And check the user session in index.php, but my iframe and the google viewer are added dynamically through Ajax calls...
I could also make a temporary copy of the file to a publicly accessible folder. But anyone could just snif this folder and after a while get the whole collection of the files viewed through this.
Any idea on how to restrict access to these files to the users with a valid session only launching an iframe or a google viewer ?