Limiting Download Access to URL

Forum Moderators: coopster

Message Too Old, No Replies

Limiting Download Access to URL

Maddrax

8:11 pm on Jun 28, 2011 (gmt 0)

Hi,

I am new here so sorry if this is the wrong forum for my question.

I have now painfully integrated mobile payment to my website where I sell digital stuff to my customers. Since I am targeting countries where creditcard payments are practically not possible (so no paypal, e-junkie or whatever) I needed to do it that way.

Question is: everytime somebody pays with a premium sms how can I ensure that the file which is hosted on amazon S3 can only be accessed a couple of times. Or how can I encrypt the URL that it can't be shared?

Are there any best practices regarding this issue?

Thank you very much for your input!

Maddrax

penders

12:34 pm on Jun 29, 2011 (gmt 0)

Do you want your users to 'login' before accessing the file to download or should the URL be publicly available but for a limited number of requests.

The trick is to not provide your users with the actual URL of the file. The files themselves should be protected and not directly accessible.

The URL you publish directs the user through your download script. eg:

http://www.example.com/filedownload?id=ABC123

By looking up 'ABC123' in your DB you can determine exactly which file is requested and how many times it's been requested. If its not been requested more than 'max' times then send the appropriate file to the user, perhaps with PHP's readfile() [uk2.php.net] function and update your DB.

rocknbil

4:06 pm on Jun 29, 2011 (gmt 0)

Welcome aboard Maddrax - the fundamental trick to that method is not to link directly to the file - link to a script that validates the request, then if valid, opens and reads the file and prints it directly to the browser via the script. You can expire it with time, number of downloads, or any other validations you need that way.

Maddrax

4:39 pm on Jun 29, 2011 (gmt 0)

Thank for the warm welcome! Unfortunately I guess I am not able to generate such a script... is it difficult?

Thanks for your help!

rocknbil

3:48 pm on Jun 30, 2011 (gmt 0)

Not really, see penders' link to readfile().

1. Store the file in some private unbrowsable location
/domain.com/httpdocs <-- web-browsable
/domain.com/private-dir <-- not web browsable

2. Experiment with readfile, figure out how it works.

3. Search for resources in PHP for setting cookies, generating unique ID's, and storing them somewhere (in a mysql database)

4. Search for resources to force downloads to the browser with PHP.

You may even find some script that does this or comes close you can modify.

thecoalman

4:49 pm on Jul 4, 2011 (gmt 0)

If you want to download phpBB you can get a working example of this using authentication. It's open source so if you want to strip out what you need......

When someone uploads a file the original filename, filetype etc, is stored in the database. The filename used to save the file on the server is converted to a random string with no extension, this random string is also stored in the database. The files are saved into a folder protected with htaccess preventing public access and disallowing displaying index which is default on most servers anyway. Even if the htaccess were to fail they still don't know the filename and there is blank index.html file as last line of defense. phpBB doesn't really have the option of putting it in a folder that is outside of the public folders for default installation.

As already explained it's served through a script, the scripts checks to make sure the user has permissions for the file. If for example it was uploaded to a forum they don't have access to or a PM they weren't a party too access is denied.