danieleveratti.com

Sometimes files to be downloaded need to be protected, for example when download is available only for registered users of a website. To do this we need to make a “wrapper” script which checks if the file to be downloaded is available or not and we have to put the file in a place on our web server where they cannot be accessed through a url. But using Internet Explorer we can have some trouble to let our users download the files correctly. Now I’ll make an example using PHP as server-side scripting language.

Consider that you have a directory structure similar to this:

- /var
- – /www
- – - /mysite
- – - – /public_html
- – - – /downloads

In this structure only pages (and files) in the “public_html” directory can be accessed with a URL and the “downloads” folder contains the “protected” files to be downloaded. So in the “public_html” folder we can put a script to provide dowloads, and call it “download.php” (remember PHP can access the whole server’s filesystem). We also assume we have a database table where files are stored and identified by IDs and that we can pass these IDs as GET parameters to the script.

ob_start();
include ("useful_functions.php"); // We need some extra functions, which won't be defined here...
session_start();
$file_id = $_GET['id'];
$user_id = $_SESSION['userid'];
if (userCanDownload($user_id,$file_id)){ # assume this function returns a boolean value
    $file_path = getFilePath($file_id);     # assume these following functions return a string
    $file_name = getFileName($file_id);
    $file_content_type = getFileContentType($file_id);
    ob_end_clean(); # We need to clean all possible output data before reading the file
    // Set the correct headers
    header ('Content-type: '.$file_content_type);
    header ('Content-disposition: attachment; filename="'.$file_name.'"');
    readfile($file_path);
} else {
  ob_end_flush(); # If there was output in previous line, display it
  echo "Download not permitted";
}

This script won’t work using IE as you can see at the header function page of the PHP online manual.
For it we just add some extra headers before reding the file:

header("Pragma: public");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");

Using Internet Explorer can bring some other errors especially if mod_gzip is activated on the web server. Mod_gzip is an extension to the apache web server which compresses using GZIP all Apache’s output before sending to the browser in order to use less bandwith e let downloads to be faster.
While Firefox doesn’t make any control, Internet Explorer does. IE doesn’t look the content-type header, it tries to identify the file type while reading the first bytes of the file to be downloaded. But using mod_gzip, all files are Gzipped archives! If the Content-type specified in the header section doesn’t match the one IE identifies, content-type will be ignored, so all the files will be identified as ‘compressed folders’ and content-disposition filename attribute will be ignored as well. To avoid this we can disable mod_gzip placing this script piece before the headers’ section:

apache_setenv("no-gzip","1");

Other tricks that will make downloads easier using Internet Explorer is to put in your “download.php” script:

ini_set("zlib.output_compression","Off"); # Disable PHP's output compression

header ("200 HTTP/1.0 OK"); # Force the answer to be HTTP/1.0 compatible

Summarizing all, our download.php script should be like this:

ob_start();
include ("useful_functions.php"); // We need some extra functions, which won't be defined here...
session_start();
$file_id = $_GET['id'];
$user_id = $_SESSION['userid'];
if (userCanDownload($user_id,$file_id)){ # assume this function returns a boolean value
    $file_path = getFilePath($file_id);     # assume these following functions return a string
    $file_name = getFileName($file_id);
    $file_content_type = getFileContentType($file_id);
    apache_setenv("no-gzip","1");
 
 
    ini_set("zlib.output_compression","Off"); # Disable PHP's output compression
    ob_end_clean(); # We need to clean all possible output data before reading the file
    // Set the correct headers
    header ("200 HTTP/1.0 OK"); # Force the answer to be HTTP/1.0 compatible
    header("Pragma: public");
    header("Expires: 0");
    header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
    header ('Content-type: '.$file_content_type);
    header ('Content-disposition: attachment; filename="'.$file_name.'"');
    readfile($file_path);
} else {
  ob_end_flush(); # If there was output in previous line, display it
  echo "Download not permitted";
}

8 comments on “Internet Explorer: FIXED ignored Content-disposition of PHP generated downloads”

Timur Alhimenkov

January 27th, 2009 at 23:23

Wow! Thank you!
I always wanted to write in my blog something like that. Can I take part of your post to my site?
Of course, I will add backlink?

Sincerely, Timur I.

| Back to top

Eamonn McGonigle

February 28th, 2009 at 17:20

Hi,

Thanks for this blog entry…it sorted out a problem for me. I was making modifications to a years-old bit of code and needed to add a “session_start()” call which wasn’t there before. Suddenly in Internet Explorer (and only Internet Explorer) when users went to download a file they were no longer being offered the “Save As…” filename I was including in the “Content-Disposition” header. I could see no reason why: the only extra thing being sent back was the PHP session cookie.

Anyway, I found your post and I included the three additional header lines and – voila – it works. I did a little more experminentation and it looks like the “Pragma: public” line is the one that does the trick (it still works if I comment out the other two).

It is unbelievable the amount of time developers have to waste coding around various bits of stupidity in Internet Explorer. My current bedtime reading is the excellent “The CSS Anthology: 101 Essential Tips, Tricks & Hacks” by Rachel Andrews (highly recommended) and it is striking how many references she has to various quirks, bugs, limitations, pecadillos of Internet Explorer.

Anyway, thanks again for taking the time to post this.

Best Wishes,
Eamonn

| Back to top

Phius

April 9th, 2009 at 15:38

Hello, Daniele.

I’ve put your name on the post, instead of just that link. Thank you for contacting me and sorry for didnt doing this before.

I was using that initial two headers and then I saw that it wasnt working on IE. Then I’ve started to Google for a solution and I’ve found your blog. With me, your solution worked perfect on my local server, but when I uploaded it to my host, I’ve got and internal server error (just because that header trying to force an http 1.0 response). Taking out the line that caused this, the solution wasnt working properly on IE6 (things was being printed on the screen instead of the download). So I started to Google again My blog is also my “knowledge repository” when nothing I find on internet is perfect for me, so I posted result here – I mean this is not exactly a copy of your post… its something that worked for me and I need to have it documented.

Thank you for your solution and contact. Best regards.

Phius

| Back to top

Fenix

May 29th, 2009 at 10:47

None of that worked unfortunately. I did stumble upon another article which prompted me to do some digging. This is how I solved my problem:

By default, the session.cache_limiter variable in php.ini is set to ‘nocache’. I’m not 100% certain, but from the dialog boxes I’ve noticed when downloading stuff from Internet Explorer, it likes to cache the download inside a temp folder and then saves it where you intended.

So you need to set session.cache_limiter to either ‘private’ or ‘public’ by calling the session_cache_limiter($cache_limiter) function before calling session_start(). The only difference between public and private is whether the data is cached at proxies (public, yes; private, no). Both public and private cache limiting caches at the client.

By the way, I’m using IE8. Hope this helps!

| Back to top

Eleanor

October 8th, 2009 at 15:41

Many thanks for that, I was tearing my hair out with a download problem!

| Back to top

beetie

November 19th, 2009 at 18:39

You’re a life saver! I’ve searched up and down for hours for a solution to this problem (I was trying to serve PDF files). I’ve tried probably a hundred different solutions and none worked except this.

Well done!

| Back to top

Miroslav

May 18th, 2010 at 11:38

Great post. Very detail.
Thank you for IE problem explaination.

| Back to top

1 Trackbacks / Pingbacks

PHP e IE: Resolvendo o problema com download usando content-disposition | Blog da Digital Tree

April 8th, 2009 at 20:36

[...] solução é uma mistura de duas soluções que encontrei. A primeira solução resolveu o problema no IE7, mas não no IE6. Depois adicionei mais um header que encontrei neste [...]

| Back to top

Write a comment

Please allow me introduce myself…

Hi! This is Daniele Veratti, an italian programmer and IT professional! Thank you for visiting this web site. Hope you'll find what you're looking for. Please feel free to drop a comment. If you need to contact me you can write to contactNO@SPAMdanieleveratti.com (delete NO and SPAM). We can also fix a meeting via Skype or Telephone.

Internet Explorer: FIXED ignored Content-disposition of PHP generated downloads

8 comments on “Internet Explorer: FIXED ignored Content-disposition of PHP generated downloads”

1 Trackbacks / Pingbacks

Write a comment

Please allow me introduce myself…

Blogroll

You can also find me on...