www.webdeveloper.com
Results 1 to 4 of 4

Thread: Best Security of a file download page

  1. #1
    Join Date
    Feb 2012
    Posts
    102

    Lightbulb Best Security of a file download page

    I have a page that downloads a file that was purchased through my website and I have used HTTP_REFERRER to make sure that page is accessed only by the download page on my site. Is this reliable security or is there a better way to keep this page from being visited? I was also considering placing the download page in an includes folder outside of the web root and having my link point to that. I would like to know what the community thinks are the best ways to secure a download page.

  2. #2
    Join Date
    Mar 2011
    Posts
    1,148
    HTTP_REFERER is not a secure method. It is easily spoofed.

    I would suggest that you assign a unique identifier to each user, and set up a database to track the purchases. Your download script would then be able to check that database to confirm that the user is allowed to receive the file, and record each download attempt to prevent multiple downloads. The exact coding would depend on the payment method you use. If the method is internal to your website, then you just modify your own scripts. If you use an external payment processor, you'll need to work with their payment confirmation methods.

  3. #3
    Join Date
    Feb 2012
    Posts
    102
    Quote Originally Posted by rtrethewey View Post
    HTTP_REFERER is not a secure method. It is easily spoofed.

    I would suggest that you assign a unique identifier to each user, and set up a database to track the purchases. Your download script would then be able to check that database to confirm that the user is allowed to receive the file, and record each download attempt to prevent multiple downloads. The exact coding would depend on the payment method you use. If the method is internal to your website, then you just modify your own scripts. If you use an external payment processor, you'll need to work with their payment confirmation methods.
    What I am doing is assigning a download code to each person once their payment has been confirmed through paypal. Then on the page they are redirected to after paypal they confirm their email and the download code is emailed to them. After they get the code they go to the download page and enter that code to verifty it. If it is verified they are provided a link that when they click it, it gives them the option of saving the file to their computer. I used HTTP_REFERER so if they try to access the file directly it says "Nothing to see here". The download code is only good for two downloads and that information is in my database. If they try to use the code more than the two times it tells them that their download limit has been exceeded.

  4. #4
    Join Date
    Mar 2011
    Posts
    1,148
    As I say, the best approach is to assign a unique identifier to each user that makes a purchase and store that identifier in your database. Then you can have your PayPal callback script note the payment in your database for that user. You can attach the identifier to the user with PHP sessions for single-visit methods, or make a full customer account creation system with log-ins so they can pay and download in separate visits (which can be helpful if you have a lot of failed downloads).

    I'm sure if you do some searches or check the script directories, you'll be able to find many different ways of doing this securely. Good luck!

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles