Welcome to WebmasterWorld Guest from

Forum Moderators: phranque

Message Too Old, No Replies

password protecting a page (SOS & urgent)

need to password protect a download page upon redirect from paypal



1:59 am on Jul 9, 2010 (gmt 0)

5+ Year Member


I am trying to set up something on a client site. They are offering a download for purchase and I have paypal configured to redirect upon completion of the transaction... but I want to protect the download page as well.

I posted a question at paypal but haven't received an answer yet.

I need to know how to put in a password protection, and I need to know how to get that password to the customer when they run through their transaction. If paypal sends them directly to the url then how would they get a password?

thanks for any assistance


9:00 am on Jul 9, 2010 (gmt 0)

WebmasterWorld Senior Member piatkow is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

Well I wouldn't know how to code it either but the logic would be something like:
1. Generate a confirmation code on completion and store in a database
2. Email the code to the customer
3. Route the customer to an acknowledgement page telling them to check their email for the confirmation code (and reminding them to check the junk folder as well as the inbox)
4. Customer tries to access download - prompt for confirmation code, deliver download and flag code as "used" so they can't pass it on to somebody else

You will need to ensure that your automated emails pass spam checks by the major webmail providers. Hotmail in particular has very aggressive filters and may not even deliver to the junk folder if it doesn't like your message.


2:28 pm on Jul 9, 2010 (gmt 0)

5+ Year Member

well, that's ideal except that it needs to not require the email step. It needs to be more instant than that.

I would have no idea how to implement that anyway. I am hoping that someone who uses paypal this way can assist. This can't be the first instance that it has come up. I would hope there would be an automated way within their system, but I don't know paypal all that well.

I am planning to use refresh/redirect and no follow for the spiders, and I have to go with the client's preference on zipping the file to prevent it from ending up on the search engines. I doubt they will want it zipped. The whole point right now for them is the increase the speed of getting that guide to their customers. No one wants to download and install a zip program just to open what they bought from my client.

I can change the redirect url in paypal regularly to prevent it from just getting passed around as well.

surely others must be facing this...


2:35 pm on Jul 9, 2010 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member

presumably you have some kind of database with purchase numbers, order numbers, or the like. what you could do is redirect them to the download page and stick a query string on the end with the order number.

then have a column in your database which says if the order number has already been downloaded. if it hasn't, then let them continue. otherwise, kick them out.


3:36 pm on Jul 9, 2010 (gmt 0)

5+ Year Member

No, there isn't any database. There is just one product that is going to be in a pdf version.

I hand code my websites but I am not a programmer. I know nothing about strings or database applications.


7:15 pm on Jul 9, 2010 (gmt 0)

WebmasterWorld Senior Member bwnbwn is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

beaglechick not having this dynamic is going to be a huge issue and one that I don't think your going to be able to do.

Maybe this. Build a page to have paypal redirect to that has the link to the pdf password protected. This you can get from doing some searches for.

On this page have the user name and password they need to get into the page. They can get the download then without having to go through and email, and you can actually build as many of these as you like and just change the redirect in paypal to go to a different password protected page each day.

just a thought to maybe provide an easier solution.


7:29 pm on Jul 9, 2010 (gmt 0)

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member

Welcome aboard beaglechick, but you need to bring in a programmer on this, and now. Someone you can trust, when you deal with transactions and secure downloads, it's not something you just throw on a site and call it good.

Think about your logic: if you have a password protected area, why couldn't someone give that password to all their friends? They can (and in truth, the PDF can be passed around too, but that's another issue . . .)

Here is how this works:

- Domain owner has a sale. **somewhere** you store an ID for this sale. You really do need a database, even if it's just plain text.

- Customer is directed to paypal, makes purchase.

- payPal's Instant Payment Notification notifies a script on your site, call it a "listener script" that the transaction is successful. Listener locates the order by the ID you stored. Script sends an email to the customer with the unique id and notation that it will expire in x hours or one download, whatever comes first, something like


- On clicking the link, order-fulfillment.php marks the order as fulfilled, making it impossible for subsequent visits to that URL to get the product. It then opens the document from a secure location and prints it to the browser, never revealing the true location of "file.pdf."

- Optional, but really needs to be done: there **may** be a way to password protect each PDF uniquely (on the fly for each purchase, as opposed to bwnbwn's manual solution) with some PHP or other language library, but I'd call this phase two, if you can get through the first ones at least it will offer some form of protection.

As said, you need a programmer, in PHP, Perl, or ASP/.NET or PHP if it's a windows server, this is not a design project.


7:24 pm on Jul 10, 2010 (gmt 0)

5+ Year Member

Thanks... I was worried that was the case. This is the first time they have had *anything* downloadable for sale. I was already thinking that *just* a password wouldn't work for them. But I have no experience with paypal, etc., and was hoping there was some widget that would handle this.

I doubt highly that security is going to be huge for them due to the nature of their business, product and clients... but that has to be their decision. If they are ok taking that risk with the redirect and just hiding the files from the bots, well... not my fault.

thanks so much for assisting


1:37 am on Jul 12, 2010 (gmt 0)

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member

I doubt highly that security is going to be huge for them due to the nature of their business

This is one of the earliest mistakes you can make, it's not the "normal site visitors" or "ordinary operations" you ever have to worry about. It's someone from China or Hungary or Transylvania or wherever else that will hack and steal their content and re-sell it "just because they can." :-)


11:31 am on Aug 1, 2010 (gmt 0)

5+ Year Member

FYI a good way to stop the file being distributed after purchase, or at least 99% of it, is to print the shopper's personal details on the fly on the PDF - though I doubt you'd be able to get those details after a PP transaction.