4

I need a method to protect the download URL of a file from being seen by the downloader.

The idea is that the user is given a download link after paying, but to stop them spreading the URL among their friends who haven't paid.

What are some common solutions to this? Possibly changing file name?

(I can do PHP, and mySql this post is for methods really)

user961882
  • 227
  • 5
  • 10
  • You can always mask the URL using rewrites. –  Aug 21 '13 at 11:23
  • @remyabel that doesnt actually protect the file. – Prix Aug 21 '13 at 11:23
  • @remyabel Genius! Only problem is, the enduser will still see *a URL* and be able to download the file from *that URL*. He doesn't care how it's internally being mangled in the server. – deceze Aug 21 '13 at 11:24
  • Right, but I'd imagine that if he cares about only paid users using the files, that there would be some sort of DRM or copy protection. He could also use a download manager to ensure that only licensed users can use the files. Judging from OP's question history, I don't think that will be the case, and that whatever his intentions are could be borderline unethical. –  Aug 21 '13 at 11:24
  • possible duplicate of [PHP: Let user download purchased file ONLY](http://stackoverflow.com/questions/12718685/php-let-user-download-purchased-file-only) – deceze Aug 21 '13 at 11:26

4 Answers4

4

If users have an account on your site, stock in your DB if they paid the download. Then give them a link such as download.php where you verify if they paid, and if yes, do a location to the file. Example for a .pdf :

if($userpaid === true) {
  $filename = 'congrat-you-paid-it.pdf'; //Name to display
  $file = './download/pdf/secretlink.pdf';      
  header('Content-type: application/pdf');
  header('Content-Disposition: inline; filename="'.$filename.'"');
  header('Content-Length: ' . filesize($file));
  @readfile($file);
  exit;
}
Guillaume Lhz
  • 904
  • 5
  • 16
3

One solution could be to use SESSION or a similar temporary storage and generate download URLs at run-time. So clicking on the URL again may not work.

Also, direct access to the files should not be allowed.

Vivek Jain
  • 3,811
  • 6
  • 30
  • 47
  • Would this work with sending the link to them via email? Not too familiar with how to do this, but will look into it, thanks – user961882 Aug 21 '13 at 11:28
  • 2
    To make it clear, this means: create a different URL per file for each purchase. Those links will never be the same for another customer for the same file. I would also say: store them in a database. This way you can send the link via e-amil to the user and once he has downloaded the file, you can make the link invalid and add some additional information, like the date and time of the download. – insertusernamehere Aug 21 '13 at 11:31
  • @user961882, yes you may create those links and send them via mail. Also as suggested in the previous comment, you may store the URLs in the database and additionally you may associate them with the user so no other user is able to download...and to download the user has to login (of course) – Vivek Jain Aug 21 '13 at 11:35
  • While this is a good idea I believe would be easier with the user logged in, instead of recreating download links because user changed his IP/cleared his cookies/his download crashed and gets invalidated would be pretty bad for a not so techy user. You can also give is a time window for the download to be available but if his internet sucks and it ends before he can download the file that would be pretty pissing hehe, not that I think we still have many users on a 14.400. – Prix Aug 21 '13 at 11:42
  • @Prix, the intent here is to send download links by email. In this case the user may not be logged in. So, the application will check if the user is logged-in, if not take him to the login page then check if the user is the correct user for that download and if the link has not expired...and so on...! What do you think? – Vivek Jain Aug 21 '13 at 12:10
  • If that is the case there is no need for `generate download URLs at run-time` you can just use the product hash or id. – Prix Aug 21 '13 at 12:17
  • @Prix, there is one more requirement that a user should not be able to distribute links to others. Generate URLs at run-time could be a function of the user-id and the file-id or something like that. – Vivek Jain Aug 21 '13 at 12:24
  • 1
    @theghostofc it doesn't matter if they do if you're using what you described `the application will check if the user is logged-in, if not take him to the login page then check if the user is the correct user for that download` as it would not grant access to them regardless. – Prix Aug 21 '13 at 12:28
1

Create a token. Store at your end and send with file URL as well. When user clicks the URL match the token and allow the download, then remove token from your storage. You've to generate new token every time registered user wants to download though.

Bikas
  • 2,709
  • 14
  • 32
0

Use sessions is quick and easy, for better security, what you can do is:

  • Put the actual file in a separate folder and put a .htaccess in it to only allow the script to access that file.

  • Then generate a random unique variable

  • Then make a temp file with that name and give the link to it to the client

  • Finally run a cron job to delete the unnecessary created files.

Niket Malik
  • 1,075
  • 1
  • 14
  • 23
  • 1
    probably shouldn't do this. There's no need to physically manipulate files. You can do the same thing by leaving the filenames constant and then routing to them via a unique string that you only allow to be used once. – 1mike12 Jan 18 '18 at 15:24
  • Agreed to @1mike12, was an old answer. The accepted answer makes more sense. – Niket Malik Jan 29 '18 at 02:04