[PHP] ******************* Secure product download *******************
I am building a site where visitors can purchase and download software. To purchase a software product, the visitor must submit credit card info. Once the purchase has been approved, the user is given a link from which he/she may download the requested software. This link MUST only be accessible to those who have paid. I have tried a number of different and creative methods, but none give me the security I need. I don't want the user to be able bookmark the URL or email the URL to friends so that they can download the software as well. I am using PHP sessions combined with MySQL user accounts to authenticate users throughout the rest of the site. How can I get this to work for downloads? Is this even possible within the open realm of the browser? Have any of you solved a similar problem? I welcome any ideas. Ron Stagg
Re: [PHP] ******************* Secure product download *******************
session_start(); if(!isset($_SESSION[did_pay])) { header(Location: http://www.example.com/pay_first.php;); } //show download code Obviously you set $_SESSION['did_pay'] to a value once they, umm, pay. ---John Holmes... - Original Message - From: Ron Stagg [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, May 29, 2002 4:47 PM Subject: [PHP] *** Secure product download *** I am building a site where visitors can purchase and download software. To purchase a software product, the visitor must submit credit card info. Once the purchase has been approved, the user is given a link from which he/she may download the requested software. This link MUST only be accessible to those who have paid. I have tried a number of different and creative methods, but none give me the security I need. I don't want the user to be able bookmark the URL or email the URL to friends so that they can download the software as well. I am using PHP sessions combined with MySQL user accounts to authenticate users throughout the rest of the site. How can I get this to work for downloads? Is this even possible within the open realm of the browser? Have any of you solved a similar problem? I welcome any ideas. Ron Stagg -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] ******************* Secure product download *******************
Yes, but unauthorized users can still just key in the URL (http://www.example.com/pay_first.php) into their browser and get around the session verification. I have toyed around with dynamically building the file when it is needed, but I need to delete it once it has been downloaded by the user. How can I delete a file as soon as it has been downloaded? Ron Stagg -Original Message- From: 1LT John W. Holmes [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 29, 2002 2:57 PM To: Ron Stagg; [EMAIL PROTECTED] Subject: Re: [PHP] *** Secure product download *** session_start(); if(!isset($_SESSION[did_pay])) { header(Location: http://www.example.com/pay_first.php;); } //show download code Obviously you set $_SESSION['did_pay'] to a value once they, umm, pay. ---John Holmes... - Original Message - From: Ron Stagg [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, May 29, 2002 4:47 PM Subject: [PHP] *** Secure product download *** I am building a site where visitors can purchase and download software. To purchase a software product, the visitor must submit credit card info. Once the purchase has been approved, the user is given a link from which he/she may download the requested software. This link MUST only be accessible to those who have paid. I have tried a number of different and creative methods, but none give me the security I need. I don't want the user to be able bookmark the URL or email the URL to friends so that they can download the software as well. I am using PHP sessions combined with MySQL user accounts to authenticate users throughout the rest of the site. How can I get this to work for downloads? Is this even possible within the open realm of the browser? Have any of you solved a similar problem? I welcome any ideas. Ron Stagg -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ******************* Secure product download *******************
ugh a software pay site written in php.it makes me feel dirty... At 04:56 PM 5/29/2002 -0400, 1LT John W. Holmes wrote: session_start(); if(!isset($_SESSION[did_pay])) { header(Location: http://www.example.com/pay_first.php;); } //show download code Obviously you set $_SESSION['did_pay'] to a value once they, umm, pay. ---John Holmes... - Original Message - From: Ron Stagg [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, May 29, 2002 4:47 PM Subject: [PHP] *** Secure product download *** I am building a site where visitors can purchase and download software. To purchase a software product, the visitor must submit credit card info. Once the purchase has been approved, the user is given a link from which he/she may download the requested software. This link MUST only be accessible to those who have paid. I have tried a number of different and creative methods, but none give me the security I need. I don't want the user to be able bookmark the URL or email the URL to friends so that they can download the software as well. I am using PHP sessions combined with MySQL user accounts to authenticate users throughout the rest of the site. How can I get this to work for downloads? Is this even possible within the open realm of the browser? Have any of you solved a similar problem? I welcome any ideas. Ron Stagg -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ******************* Secure product download *******************
Ummno they can't. pay_first.php is what you send them to if they don't have a correct session. If the session is correct, show the download page. Notice the ! in front of isset(). ---John Holmes... - Original Message - From: Ron Stagg [EMAIL PROTECTED] To: 1LT John W. Holmes [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, May 29, 2002 5:02 PM Subject: RE: [PHP] *** Secure product download *** Yes, but unauthorized users can still just key in the URL (http://www.example.com/pay_first.php) into their browser and get around the session verification. I have toyed around with dynamically building the file when it is needed, but I need to delete it once it has been downloaded by the user. How can I delete a file as soon as it has been downloaded? Ron Stagg -Original Message- From: 1LT John W. Holmes [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 29, 2002 2:57 PM To: Ron Stagg; [EMAIL PROTECTED] Subject: Re: [PHP] *** Secure product download *** session_start(); if(!isset($_SESSION[did_pay])) { header(Location: http://www.example.com/pay_first.php;); } //show download code Obviously you set $_SESSION['did_pay'] to a value once they, umm, pay. ---John Holmes... - Original Message - From: Ron Stagg [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, May 29, 2002 4:47 PM Subject: [PHP] *** Secure product download *** I am building a site where visitors can purchase and download software. To purchase a software product, the visitor must submit credit card info. Once the purchase has been approved, the user is given a link from which he/she may download the requested software. This link MUST only be accessible to those who have paid. I have tried a number of different and creative methods, but none give me the security I need. I don't want the user to be able bookmark the URL or email the URL to friends so that they can download the software as well. I am using PHP sessions combined with MySQL user accounts to authenticate users throughout the rest of the site. How can I get this to work for downloads? Is this even possible within the open realm of the browser? Have any of you solved a similar problem? I welcome any ideas. Ron Stagg -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] ******************* Secure product download *******************
John, I appreciate your advice here. Please tolerate another question: Your code example had the comment //show download code. That is what I need. What is the download code? Thanks, Ron -Original Message- From: 1LT John W. Holmes [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 29, 2002 3:29 PM To: Ron Stagg; [EMAIL PROTECTED] Subject: Re: [PHP] *** Secure product download *** Ummno they can't. pay_first.php is what you send them to if they don't have a correct session. If the session is correct, show the download page. Notice the ! in front of isset(). ---John Holmes... - Original Message - From: Ron Stagg [EMAIL PROTECTED] To: 1LT John W. Holmes [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, May 29, 2002 5:02 PM Subject: RE: [PHP] *** Secure product download *** Yes, but unauthorized users can still just key in the URL (http://www.example.com/pay_first.php) into their browser and get around the session verification. I have toyed around with dynamically building the file when it is needed, but I need to delete it once it has been downloaded by the user. How can I delete a file as soon as it has been downloaded? Ron Stagg -Original Message- From: 1LT John W. Holmes [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 29, 2002 2:57 PM To: Ron Stagg; [EMAIL PROTECTED] Subject: Re: [PHP] *** Secure product download *** session_start(); if(!isset($_SESSION[did_pay])) { header(Location: http://www.example.com/pay_first.php;); } //show download code Obviously you set $_SESSION['did_pay'] to a value once they, umm, pay. ---John Holmes... - Original Message - From: Ron Stagg [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, May 29, 2002 4:47 PM Subject: [PHP] *** Secure product download *** I am building a site where visitors can purchase and download software. To purchase a software product, the visitor must submit credit card info. Once the purchase has been approved, the user is given a link from which he/she may download the requested software. This link MUST only be accessible to those who have paid. I have tried a number of different and creative methods, but none give me the security I need. I don't want the user to be able bookmark the URL or email the URL to friends so that they can download the software as well. I am using PHP sessions combined with MySQL user accounts to authenticate users throughout the rest of the site. How can I get this to work for downloads? Is this even possible within the open realm of the browser? Have any of you solved a similar problem? I welcome any ideas. Ron Stagg -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ******************* Secure product download *******************
On Wed, 29 May 2002, Ron Stagg wrote: Is this even possible within the open realm of the browser? Have any of you solved a similar problem? I welcome any ideas. Your solution is pretty easy. Assign a php script that will actually send the download. At this point, your PHP script can do whatever integrity checking you need for you to be satisfied payment occurred. Then all you need to do is send a couple of headers and stream the file directly to the end user. I'd suggest headers like this: ?PHP /* I'll assume you do authentication and whatnot up here. Errors, warnings, redirects, whatever... all go up here. When you're satisfied, move on to the stuff below. Make sure no other headers have been sent by this point. */ header(Content-type: application/zip); header(Content-Disposition: filename=\the_file_name_you_want.zip\); // At this point, you may either construct, or stream whatever data // you want. Just make sure it matches your declared Content-type. readfile(any_file_you_want.zip); ? And done. If you put the file you send somewhere out of the document root, the download location can't even be reverse-engineered. This script is the only way to get that file. -- +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+ | Shaun M. ThomasINN Database Administrator | | Phone: (309) 743-0812 Fax : (309) 743-0830| | Email: [EMAIL PROTECTED]AIM : trifthen | | Web : www.townnews.com | | | | Most of our lives are about proving something, either to | | ourselves or to someone else. | | -- Anonymous | +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] ******************* Secure product download *******************
[snip] If you put the file you send somewhere out of the document root, the download location can't even be reverse-engineered. This script is the only way to get that file. That's the key, right there. Combining that with sessions will make it so that only people with the appropriate session will be able to access the download script. Keeping it outside of the web root will make it so no one can just type in the URL to the file. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php