How to make redirected download urls be only accessible by logged-in members?

  • In general the question is: How to mask external download links as internal links and to be only accessible by logged-in wp users at htaccess level or with php script? We have perl based script at our external url and its generating different download urls. If you help how can we apply it on external site we can do so.

    We successfully redirect https://www.ourwebsite.com/resources to external download link by simple htaccess code:

    Redirect 301 /resources https://external.com/direct-download-link1
    However, if the urls (www.ourwebsite.com/resources/download-1.html etc.) are scraped by wordpress members and share & paste into their browser address bars when they don’t logged in then the download links are still accessible. We want to prevent from it. So how to disallow non-members from accessing download links directly?

Viewing 7 replies - 1 through 7 (of 7 total)

  • Option 1:
    In PHP you can do a check for is_user_logged_in() and only display the content if it returns true

    Option 2 (insecure, but may work for you):
    You can check for the existance of a wordpress login cookie (however this will not be validated and can be easily spoofed – should be fine for less secure files)
    RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in.*$ [NC]
    Credits: https://wordpress.stackexchange.com/a/285311

    Thread Starter vipini

    (@vipini)

    @designsmoke thanks for reply
    option 1 is not an option bcz i want to apply it for logged in members as well

    how can i implement this code with 

    RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} ^.*(mp3|m4a|pdf|doc|xlsx|docx|xls)$
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in.*$ [NC]
RewriteRule (.*) https://website.com/login/

    Redirect 301 /resources https://external.com/direct-download-link1 this code?
    note: theres no /resources folder actually in my wordpress.

    what about this code:

    require('../wp-load.php');  // modify to reflect where your PHP file is in relation to WordPress
$roles = wp_get_current_user()->roles;  // get current users role

if (!in_array('alloweduserrole',$roles)) {  // modify to match your roles that are allowed to download

    header('Location: https://www.ourwebsite.com/');
    exit;

}  // end of if user does not have the proper role

    You can replace the original .htaccess code with this code, for example. It will redirect you if you have a cookie named “*wordpress_logged_in*”, which is automatically set by wordpress (but can be easily created, so it’s not 100% secure).

    RewriteEngine On
RewriteCond %{HTTP_COOKIE} ^.*wordpress_logged_in.*$ [NC]
RewriteRule ^resources/?$ https://external.com/direct-download-link1
 [L,R=301]
    • This reply was modified 5 years, 6 months ago by DesignSmoke.
    Thread Starter vipini

    (@vipini)

    @designsmoke when apply 

    RewriteEngine On
RewriteCond %{HTTP_COOKIE} ^.*wordpress_logged_in.*$ [NC]
RewriteRule ^resources/?$ https://external.com/direct-download-link1
 [L,R=301]

    this code the site went into 500 internal server error.

    • This reply was modified 5 years, 6 months ago by vipini.

    @vipini Whoops, that’s my bad, I accidentally added a newline before the [L,R=301] and forgot the check for the url. Let me know if this works:

    RewriteEngine On
RewriteCond %{HTTP_COOKIE} ^.*wordpress_logged_in.*$ [NC]
RewriteRule ^resources/?$ https://external.com/direct-download-link1 [L,R=301]
    • This reply was modified 5 years, 6 months ago by DesignSmoke.
    Thread Starter vipini

    (@vipini)

    @designsmoke it seems it doesn’t works
    i clicked the download link while logged in and it brings up “page not found”
    and when i click without loggedin it redirected me to “page not found” as well.

    • This reply was modified 5 years, 6 months ago by vipini.
    Thread Starter vipini

    (@vipini)

    i looked again and it gives “page not found” error for logged-in too? strange..

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘How to make redirected download urls be only accessible by logged-in members?’ is closed to new replies.