I'm writing a web application that allow user upload their files on the app. The file will be uploaded on the HTTP Server, after the user click the "upload" button. The user can receive the file by getting the file from the path.... ...for example: http://www.demo.com/user/abc/download/the_file.jpg
but I found that all the people can access this file using the path. How can I do, or is there a better way to manage the file that only registered user or the file owner can download the file?
Serving a file directly within a script is not an option because of performance issues and it's not really possible to serve BIG files because of memory limits.
The best option is to use the Apache module mod_xsendfile. The idea is to redirect all requests to a
PHP/Perl/Python script which will just set a HTTP header saying "Hey Apache, serve this file instead" and mod_xsendfile will take care of it.
And the client will never be able to download the file without this authentication.
If using something like apache httpd, you can use .htaccess files and have directories that are provisioned to users or groups if you want the user to continue accessing files at a path on the filesystem.
If you lock down the directory and have a script to manage file delivery, you can check permissions in the script and give the user the file requested or a 403.
I tend to use the script approach as it gives me more control over how the permissions are managed and more complex access scenarios.