Brainstorm... 1

[MichiganRon]

Okay. Here's what I want to do. I'm not necessarily looking for any specific code here. I just want some ideas.

I want to write a security/authentication system that will allow certain users to download specific files after they have paid for them. I don't want other users to be able to download these files if they have not paid for them. I also don't want anonymous users to be able to download these files.

I DON'T want to use any server-based user system like FTP where each user has an account on the server. I mean, we're talking hundreds or thousands of users. Manually managing that many user accounts and file rights is not an option.

I will be using a MySQL database to store the user accounts and file locations.

My first thought is to have the files stored in a "secret" location on the server and have a different virtual directory created for each paid customer. However, this would require me to be able to dynamically create a virtual directory each time a user pays for a download. I don't know if this is possible.

Another idea I thought of is to have a download script which authenticates whether the user has rights to download a specific file and then redirects and starts downloading the file. (eg:

http://foo.com/bar.php?userid=123&file=example.zip)

There is one problem with this; How do I hide the file location so that users can't just link directly to the file?

I've racked my brain on these ideas and am at a loss. Any ideas are greatly appreciated.

Thanks,
-Ron

We all play from the same deck of cards, it's how we play the hand we are dealt which makes us who we are. -Me

murof siht edisni kcuts m'I - PLEH

 

[sleipnir214]

Keep in mind that PHP's filesystem functions are not necessarily constrained by the document root of the server.

For example, you could place the files outside the document root, but still use PHP's readfile() function (

http://us4.php.net/manual/en/function.readfile.php)

to stream the file to the browser.


Write a script that authenticates a user and records that the user is logged in in a session variable.

Write a script that, dependent on the user login provided by the session variable, presents a set of links to a download stream script. Those links will tell the stream script what file to download via the URL.

Have the streaming script also check the session variable to make sure the user is allowed to access the file.

Want the best answers? Ask the best questions:

http://www.catb.org/~esr/faqs/smart-questions.html

TANSTAAFL!!

 

[hos2]

perhaps you can also look at pgp where you can encrypt files and use private and public keys. the private key verifies from whom the file is and the public key is for decrypting which the people get when they have paid for the file. without the key the file is useless

look

http://www.pgpi.org/

for info about pgp

 

[Bosah]

I think hos2 has a really good point. If you can afford the processing overhead it would have advantages to pgp sign each downloaders shopping cart.

It would provide an incentive for the downloaders not to share the files right away because they would have to give out their private key. Of course they still could extract the files and share those but they'll eventually be able to do that anyway.

If your client worked well you might let the downloader keep their downloads in an encripted format locally.

bv

 

[MichiganRon]

Thanks guys (and gals?). While I like the idea of using PGP, I'm not really that worried about the security of the files once they've been downloaded. I pretty much just want to validate a user before letting them download. So, it looks like sleipnir214 has provided the best solution thus far. Thanks.

Another /art/star.gif for you sleipnir214!

-Ron

P.S. Other users are free to continue this discussion if they feel they have a better solution.

We all play from the same deck of cards, it's how we play the hand we are dealt which makes us who we are. -Me

murof siht edisni kcuts m'I - PLEH