I have a website, with software downloads. Each of my customers have their own directory on the web server, and the directories are currently protected by tokens. Problem is, each customer needs their own token, and I'm running into the token limit on my webserver.
So, I'm looking at scripting the logins, and understand the basics of how this is done, with a small ASP script at the start of each page to check for session login, and redirection to a login page, etc.
OK, what about the actual executable download files - How do I protect these against direct linking? The current token system protects this very well, because a login is required before accessing the directory, so this works for exe files as well as web pages.
However, if I remove the tokens and use scripted login, I can protect my web pages, but all it would take is for one customer (or ex customer) to read the download link and publish it, and anyone who knows the link can download the software. It would also be very easy for customers to use the direct link to get free upgrades as the software is improved.
How can I protect against this? Can it be done with ASP (or PHP) scripting? I have seen systems using bizarre directory names for the download, that change with each version. Is this the best way?
Thanks for your help and ideas.
So you want a customer to only be able to download from their directory?
Yep. Each customer has their own directory, with a single webpage with a single link to a single executable. Occasionally customers have multiple downloads for a particular customer. Most customers share a common directory. It would be nice to also offer common-access areas too, but this is not totally necessary, and not part of the initial requirement.
Originally Posted by Chikara
The actual number of customers is small (<50), and fairly static, so manual configuration is no problem. It's just very important to keep the downloads secure from each other (my customers are all direct competitors of each other) and secure from outsiders.
Just make it so that a customer must log in to download a file. Then you can associate the login ID with the folder name.
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)