I have a website where, after login, people can download personalized PDF documents. There is a specific problem I found no solution or discussion on StackOverflow yet.
First, I deliver the documents with this function (pre headers sent):
function _outputContent(&$fileEntry) {
// return $fileEntry content (decrypted PDF file)!
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Cache-Control: private",false);
header("Accept-Ranges: bytes");
header("Pragma: public");
header('Expires: 0');
header("Content-Description: File Transfer");
header("Content-Type: application/pdf");
header("Content-Disposition: attachment; filename=\"".$fileEntry["name"]."\"");
header("Content-Transfer-Encoding: binary");
header("Content-Length: " . strlen($fileEntry["decrypted"]));
echo $fileEntry["decrypted"];
}
The thing is, that mainly on mobile devices, depending on webbrowser, preferences and settings, this opens a new tab in end users webbrowser if the webbrowser displays the PDF directly. If the user later closes the webbrowser and opens it a few hours later, some web browsers try to restore all previous opened tabs and trigger invalid download requests for these tabs. The most requests were 56 requests in three seconds from a single device. Sadly, this triggers mod_evasive and another security tool we implemented against DOS attacks.
Is there a way to deliver the PDF so that there is no download URL staying in the new created tab?
I tried other Content-Type values like application/octet-stream but this triggers issues for end users who want the PDF to be opened directly. Some seem not able to open a downloaded file later on. So it is good that the PDF is displayed immediately. Or can I prevent the webbrowser from creating a new tab at all?
