We have some large files (1-8GB) that are not publicly accessible. Currently we're serving them up through a PHP script that buffers the files in 1MB chunks and writes it to the output. It's incredibly CPU intensive and slows the server down when only a few downloads are active. We want to move the file transfer work to Apache or a more efficient method. We are using cookie authentication. FTP downloads are out unless there's some way to authenticate FTP sessions through the existing PHP session cookie.

Ideally we'd like something where we can use PHP to hide the link to the file while it passes off the file transfer work to Apache, which is no doubt far more efficient at HTTP file transfers than PHP. We want to be able to resume downloads as well.

Any help is appreciated.

4 Answers4


mod_auth_tkt looks interesting. Here's a low tech solution if your Apache/PHP setup hosted on UNIX:

Keep your downloads in a non Web accessible directory and then use a PHP script to create unique symbolic links into it. Then you can delete the symlinks after a specified period of time (e.g. after 24 hours).

Here's an example. Assume that your files are stored in /private and protected by a .htaccess file. You also have a /public directory which is writable by the user Apache runs under.


  1. User goes to download page
  2. PHP script generates a unique download id to be used as the symbolic link filename (example: 79467404-7585-11df-9ead-0022190d59d2)
  3. PHP script creates a symbolic link from /public/79467404-7585-11df-9ead-0022190d59d2 to /private/file1
  4. PHP script redirects the user to http://example.com/public/79467404-7585-11df-9ead-0022190d59d2 allowing file download

You can then use a cronjob to run a "find /public -type l -mtime +24 -exec rm {} \;" or something similar to delete expired symlinks. (NB: be very careful when using find to delete files.)

This solution doesn't prevent someone from sharing the link for the next 24 hours, so it probably isn't appropriate in situations where that matters. But it doesn't require any additional Apache modules etc.

  • 549
  • 3
  • 3

X-Sendfile is made specifically for this type of operation. You can read about it at http://codeutopia.net/blog/2009/03/06/sending-files-better-apache-mod_xsendfile-and-php/

  • 7,854
  • 2
  • 34
  • 29

This Serverfault question could be related. Alternatively, you could use something like mod_auth_tkt.

Daniel Waechter
  • 266
  • 1
  • 5

I have used a service call Net 2 FTP, which is a pure html/PHP interface to access FTP accounts online. You can download and install the software relatively easily and it has no overhead since it's such a small website.

This software is extremely useful and easy to use, it sounds like it would be perfect for your usage.

The homepage is http://www.net2ftp.com/, it's completely freeware.

  • 91
  • 5