On 7/3/2011 4:53 PM, Stuart Dallas wrote:
Only allowing them to access the URL once is a bad idea. If their download fails, is corrupt, or any number of other things go wrong (think accelerators, browser accelerators, etc) then you end up with a lot of support mail. Better to give them access for a short period of time.

Ok, so it just got more complex- if we let them do it twice, ior three times, we have a more complex design specification; if we let them do it unlimited times, we just defeated thepurpose of the exercise. How about this: if it fails, the customer can email us, adn we can reply with a copy as an attachment; a ripoff artist will not be in the log, and a complaint of failure to download gets them nothing.
Personally I would generate a unique token linked to their account, or if no user system exists then link it to their order number. Stick that in a URL and forward them to it. That URL shows them the thanks page and links to download the product(s). Each of those links also contains the token. Expire that token after 24 hours, and on the page telling them it's expired give them a way to contact you just in case they haven't successfully downloaded the product yet.

There is no need to use cookies. There is no need to use basic authentication (which is a horrible user experience). They come back from PayPal to a script that sets up their unique URL, then you take them to that URL. KISS it - the more complicated you make this the worse the user experience will be and it won't be any more secure than a time-limited unique token as described above.


Stuart Dallas
3ft9 Ltd


Very Truly yours,
                 - Kirk Bailey,
                   Largo Florida

                      | BOX |

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to