PHPackages atj4me/secure-file-downloader - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [File & Storage](/categories/file-storage) 4. / 5. atj4me/secure-file-downloader ActiveLibrary[File & Storage](/categories/file-storage) atj4me/secure-file-downloader ============================= A simple package to serve files securely behind a login. 01PHP Since Jul 18Pushed 9mo agoCompare [ Source](https://github.com/atj4me/secure-file-downloader)[ Packagist](https://packagist.org/packages/atj4me/secure-file-downloader)[ RSS](/packages/atj4me-secure-file-downloader/feed)WikiDiscussions main Synced 1mo ago READMEChangelogDependenciesVersions (1)Used By (0) Secure File Downloader ====================== [](#secure-file-downloader) A simple, configuration-driven PHP package to protect files and directories with a username/password login form. It's designed to be self-contained, requiring no database or external dependencies, making it easy to drop into any PHP project. The script handles serving a file from a private directory after a user successfully authenticates. If the user is not authenticated, it presents a clean, self-contained login form. Features -------- [](#features) - **Standalone**: No database or framework required. - **Secure by Default**: Uses `password_hash` for passwords, `random_bytes` for CSRF tokens, and `hash_equals` for timing-attack-safe comparisons. - **Configuration Driven**: All settings (paths, credentials, tokens) are managed in a single PHP array. - **Rate Limiting**: Basic protection against brute-force login attempts. - **Secure Session Management**: Sets secure cookie flags (HttpOnly, Secure, SameSite=Strict). - **Token-based Access**: Restricts access to specific URL tokens to prevent enumeration of protected files. Requirements ------------ [](#requirements) - PHP 7.4 or higher. - [Composer](https://getcomposer.org/) for dependency management. Installation ------------ [](#installation) 1. Clone this repository or download the files into your project. 2. Run `composer install` to generate the `vendor/autoload.php` file. The project itself has no external dependencies but follows the PSR-4 autoloading standard. Install the package via Composer: ``` composer require atj4me/secure-file-downloader ``` Usage ----- [](#usage) 1. Place the files you want to protect inside the directory you specified in `private_path`. 2. To access a file, use a URL like this: `https://yourdomain.com/path/to/getFile.php?token=some_valid_token&file=your_file.pdf` - `token`: Must be one of the tokens from your `valid_tokens` configuration. - `file`: The name of the file you want to access. If the user is not authenticated, they will be presented with a login form. Upon successful login, the file will be served. ### 1. Directory Structure [](#1-directory-structure) For best security, your private files and session data should be stored outside of your public web root. ``` /your-project-root/ ├── private/ │ └── files/ │ └── my-secret-document.pdf ├── sessions/