I wrote a back-end system for clients in PHP who want to see how current projects are going and view any of their invoices.

I want to set it up so that they can only access/download their invoices via the account page when they are logged in and can't just enter the URL of the file at any time and access them that way.

I don't know if I would use .htaccess for this or set permissions or what. I was hoping someone had a good idea for how to handle this.

I'm not sure if it should be done on the Apache Server or in PHP.

Thanks in advance!

use the .htaccess file to redirect the request for any inv to a php script which requires a username and / or password to proceed.

I was kind of hoping to avoid entering another u/p since they had already logged in at this point in the site.

Have you set a session when they logged in. If so, use the .htaccess to redirect requests for invoices to a PHP page that needs a session to be set and valid to display the invoice. Incidently, what format are your invoices in?

Yes, I am using a session. The invoices are just .docx files so they don't actually display, but instead intiate a download.

If you want to actually 'secure' the files from unauthorised access, you have two main options.

1. You can keep the files in a MySQL database, fetching and printing each only when an authorised user requests them.

2. Place the files in their own dedicated directory. Add a htaccess file to the same directory with something along the following lines;

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule (.*) index.php?inv=$1 [PT,L,QSA]

assuming the directory you dedicated to the invoices is called invoices, this will take any request to access a non-standard files in that directory and force it to process through an index page (prevents direct linking). a request for www.mysite.com/invoices/xxxxxxx.docx would be rewritten to www.mysite.com/invoices/index.php?inv=xxxxxxx.docx you can then use the index.php to handle your checks and choose if you force a download dialogue or redirect to an error page.