Creating Long-term Download Links for Filled PDFs

Overview

In some situations it is necessary to provide a long-term download link to the filled PDF to the user (by email or other methods) after they have completed the contact form, instead of attaching the PDF to CF7 email message or providing a temporary download link in the form response.

There are a number of ways to provide the link to the user:

  1. Link in the email message the user receives after the user fills out the form
  2. Link on the thank you page that appears after the user fills out the form

The reason for needing to provide a link rather than attaching the filled PDF file to the sent email message might be the rather large size of the generated PDF file and the inability of email to handle large attachments.

Implementation Methods

The first step is to set up your form to save the filled PDFs at a specific path on your server.

The above option allows you to save your filled PDF files somewhere in the wp-content/uploads directory. Mail-tags can be used as part of the path. You have to make sure to use mail-tags that provide a unique path and/or filename. One option is to use the [_serial_number] mail-tag requires the Flamingo plugin). Set the save path option to my-pdfs/[_serial_number] and set the filename option to document. Your filled PDF file will be stored at wp-content/uploads/my-pdfs/#####/document.pdf (where ##### would be a unique sequence number). You can then provide a link to [_site_url]/wp-content/uploads/my-pdfs/[_serial_number]/document.pdf in your CF7 email message or form response message.

Ensure a unique path and filename combination. If a matching file path exists, a numerical identifier will be appended, potentially causing unexpected outcomes. For example, if the mail download link always points to document.pdf then it will not be pointing to the correct file after the first submission because the actual filename may be document-1.pdf.

Using [_serial_number] in your path or filename potentially poses a security risk. It becomes possible to predict file paths, which is useful for malicious actors seeking access to your clients’ files. Make sure the save directory has indexing disabled and set the save path option to something that is hard to guess. You can use a solution similar to one in section “Adding Links to Thank You Pages” or use a mail-tag that contains some user-specific private information, such as [_user_login]. You can also use a mail-tag provided by a third party plugin capable of providing unpredictable values. For example, Contact Form 7 Dynamic Text Extension plugin to create a mail-tag with a random number.

Sometimes it is necessary to provide the download link to the filled PDF file from another page on your website, such as the thank you page that the user is redirected to after submitting the form.

You will need to create a tiny plugin that will create a CF7 special mail-tag and a WP shortcode. Both will output a “user session ID” that will be stored in user’s cookies. The filled PDF will be saved on the web server at a path that contains the session ID and the redirect page will link to that same location (via the shortcode).

<?php
/*
Plugin Name: CF7 special session id mail-tag and WP shortcode
Version:     0.1
*/

add_filter('wpcf7_special_mail_tags', 'wpcf7_session_id', 10, 3);
function wpcf7_session_id($output, $name, $html)
{
        if($name == '_session_id')
        {
                if(!isset($_COOKIE['wpcf7_session_id']))
                {
                        $id = uniqid();
                        setcookie('wpcf7_session_id', $id, time() + 24*60*60, "/");
                        $_COOKIE['wpcf7_session_id'] = $id;
                }
                $output = $_COOKIE['wpcf7_session_id'];
        }
        return $output;
}

add_shortcode('wpcf7_session_id', 'wpcf7_session_id_get');
function wpcf7_session_id_get()
{
        return isset($_COOKIE['wpcf7_session_id'])?$_COOKIE['wpcf7_session_id']:"";
}

Installation Steps

  1. Create a folder called cf7-special-session-id in your wp-content/plugins directory
  2. Save the above code in a file called cf7-special-session-id.php inside the cf7-special-session-id folder
  3. Go to your WordPress admin panel and navigate to the Plugins page
  4. Find and activate the newly created plugin

Configuration

  1. Configure the CF7 form PDF attachment options with the following settings:

    Filename: document
    Save PDF file on server: my-pdfs/[_session_id]/
    
  2. Configure the redirect page by linking your download button to the following URL:

    /wp-content/uploads/my-pdfs/[wpcf7_session_id]/document.pdf
    
  3. Add the download link to your thank you page HTML:

    <a href="/wp-content/uploads/my-pdfs/[wpcf7_session_id]/document.pdf" target="_blank" rel="noreferrer noopener">Download Your PDF</a>
    

Security Considerations

The session ID will be created and stored in user’s cookies. Only that user will know the session ID, so, they are the only ones who will have access to the filled PDF, assuming that you don’t have directory indexing enabled and you don’t have any other way for them to find out other user’s session IDs.

For additional security:

  1. Make sure directory indexing is disabled on your server
  2. Consider adding an .htaccess file to the uploads directory to restrict access
  3. Set an appropriate expiration time for the session cookies based on your needs