Tips and Tricks HQ Support Portal › Forums › WP eMember › Problem with download folder protection functionality.
Tagged: file, folder protection, protection
- This topic has 8 replies, 4 voices, and was last updated 6 years, 5 months ago by admin.
November 16, 2012 at 5:53 pm #7929
I am trying to protect pdf documents, rather than posts or pages.
On a protected page I can hide the link to a document using:
link to document
When I try to access this protected link (when not logged in) it takes me to the “Join us” page.
Separately, I put a different document in the “Protected document folder”. I also put a link to that document on the page.
However when I am not logged in and try to access it I get a crude “Authentication required” pop-up window asking for a username and password. I was expecting it to take me to the Join us page again.
Actually even when I am logged in as free I still get the “Authentication required” pop-up window.
Any idea what I am doing wrong (I hope this in not the intended functionality). I am unable to find any documentation about these “Download Folder Protection”
Here is the page [http://www.excitant.co.uk/test-membership-page]
CheersNovember 17, 2012 at 3:51 am #51448
The files you keep in the download directly can only be accessed by a user who is logged into the site and can provide a correct username and password. That is all this feature does. It simply gives an extra layer of protection for static files that you will be linking to from your post pages that are protected with eMember.
You need to put links to these protected folder files from inside an eMember protected area. In the above example, you kept the link to that file outside of any emember’s content protection. No one will be able to download the file but it won’t send the user anywhere as this is just a plain link to a file.November 17, 2012 at 9:17 am #51449
OK, Admin, thanks for reply.
Now I almost get it. As you suggested I put the link to the protected document inside the [emember_protected] shortcodes and now I understand that the user needs to:
a) Be logged in AND
b) Provide their existing username and password again to access that particular document
However that is not quite what I want. I want to
a) Have the link to the pdf work so that the pdf is accessible when the user is logged in at the appropriate level
b) Simply allow access to the pdf once they have simply logged in (and avoid the second username and password)
c) Have that pdf in a place that can’t simply be copied from once the link is known (so that the log-in can not easily be bypassed)
I must be missing something really obvious here. Any ideas please?
Is there some other technique to protect the pdf from simply being found and downloaded (without requiring a second password)?
PhilNovember 18, 2012 at 3:37 am #51450
I understand what you want but there is no way to protect a static file (a direct link to a static file) without having a separate login mechanism for it (this is a limitation from Apache).
You can achieve what you want by using another software that reads the file and serves it to the client. This way the original file location stays hidden (the direct link to the static file is never exposed). For example, if you have WP eStore plugin then you can do something like that. See the 3rd option from here:
If the static file’s security is not that big of a deal then you don’t need to use this download folder protection at all. Simply put the direct link to your file inside a protected post. This way only your logged in users can see that link and click it.November 20, 2012 at 2:51 am #51451
Ok, I’ll try that, but I am confused by your assertion that “There is no way to protect a static file…in apache..without a separate login mechanism”
I had being trying to use S2Member. The protection mechanisms are very clear and allow me to protect files in a protected directory, and just use shortcodes in the pages and posts to protect them. They don’t need a second log-in and password. They call it the Download option. They seem to be able to do it.
I am with you because their front end and user log-in seems clumsy and the solution is complicated to design right for the way I want it. You have that sussed. However they clearly have the protected file sorted using a folder. I would love you to have that protected file piece sussed as well.
They are somehow using the .htaccess without a password. It seems to be secure and work. So I wonder if you could as well. Then you would have the perfect solution.
ThanksNovember 20, 2012 at 5:02 am #51452
They are not doing a direct static file protection. As soon as you have to use a shortcode to embed a file, it means its not a direct static file protection using nothing but Apache only.
See how you have to use a shortcode? That means it will read that file in the background. The exact thing eStore will do when you use eStore’s shortcode. This is why I recommended you that that alternative. Different users want/need different protections with file downloads (not all of them work the same way). We have a range of options. One of these options should cover the kind of options you are after.January 6, 2017 at 5:21 pm #51453danwithtnlwyMember
I have set up the protected download folder, but it’s not working as expected. The first time I click on a url that leads to a file in the /wp-content/uploads/emember/downloads/ folder, the system’s username/password dialog is presented. After I type in the credentials of a valid eMember user, the file is downloaded. At this point I am not/have not logged in to eMember. Then, when I click on another link to a file in the /wp-content/uploads/emember/downloads/ folder, the file is downloaded without the username/password prompt being displayed – and, again, I’m not even logged in to eMember. The .htaccess file that is in the emember/downloads folder has this in it:
AuthName “eMember Protected Folder”
So I know that I have the folder protection capability set up correctly. Also, the .htpasswd file has my user along with an encrypted version of the password. According to your documentation the user should be prompted every time they try to download a file, but that is not what I’m seeing. Also, when a user account expires, do you also delete their corresponding username from the .htpasswd file so that they can’t get to the content?January 6, 2017 at 8:59 pm #51454wzpModerator
I have set up the protected download folder, but it’s not working as expected. The first time I click on a url that leads to a file in the /wp-content/uploads/emember/downloads/ folder, the system’s username/password dialog is presented. After I type in the credentials of a valid eMember user, the file is downloaded. At this point I am not/have not logged in to eMember. Then, when I click on another link to a file in the /wp-content/uploads/emember/downloads/ folder, the file is downloaded without the username/password prompt being displayed – and, again, I’m not even logged in to eMember.
It is working as expected. The reason you don’t need to be logged into eMember, is because the folder protection is being handled by the server’s “Basic Authentication” feature:
This feature is part of your server, and is being used to protect a specific directory (i.e. “folder”) on your server. This is independent of eMember, whose job is protect content that is stored in your WordPress database.
Once your current browser session has been authenticated, you can access any file in the protected folder… until your next browser session. At that time, you need to be re-authenticated.January 6, 2017 at 11:38 pm #51455
The browser will have saved authentication which is why it is not asking you to login again. If you enter the URL in another computer (as if another member is trying to access it), you will see that it asks for the username and password again.
yes, when members account expire, they will lose access to the protected folder/file.
- You must be logged in to reply to this topic.