/    Sign up×
Community /Pin to ProfileBookmark

Best Security of a file download page

Copy linkTweet thisAlerts:
May 17.2012

I have a page that downloads a file that was purchased through my website and I have used HTTP_REFERRER to make sure that page is accessed only by the download page on my site. Is this reliable security or is there a better way to keep this page from being visited? I was also considering placing the download page in an includes folder outside of the web root and having my link point to that. I would like to know what the community thinks are the best ways to secure a download page.

to post a comment
PHP

3 Comments(s)

Copy linkTweet thisAlerts:
@rtretheweyMay 17.2012 — HTTP_REFERER is not a secure method. It is easily spoofed.

I would suggest that you assign a unique identifier to each user, and set up a database to track the purchases. Your download script would then be able to check that database to confirm that the user is allowed to receive the file, and record each download attempt to prevent multiple downloads. The exact coding would depend on the payment method you use. If the method is internal to your website, then you just modify your own scripts. If you use an external payment processor, you'll need to work with their payment confirmation methods.
Copy linkTweet thisAlerts:
@mccoauthorMay 17.2012 — HTTP_REFERER is not a secure method. It is easily spoofed.

I would suggest that you assign a unique identifier to each user, and set up a database to track the purchases. Your download script would then be able to check that database to confirm that the user is allowed to receive the file, and record each download attempt to prevent multiple downloads. The exact coding would depend on the payment method you use. If the method is internal to your website, then you just modify your own scripts. If you use an external payment processor, you'll need to work with their payment confirmation methods.[/QUOTE]

What I am doing is assigning a download code to each person once their payment has been confirmed through paypal. Then on the page they are redirected to after paypal they confirm their email and the download code is emailed to them. After they get the code they go to the download page and enter that code to verifty it. If it is verified they are provided a link that when they click it, it gives them the option of saving the file to their computer. I used HTTP_REFERER so if they try to access the file directly it says "Nothing to see here". The download code is only good for two downloads and that information is in my database. If they try to use the code more than the two times it tells them that their download limit has been exceeded.
Copy linkTweet thisAlerts:
@rtretheweyMay 18.2012 — As I say, the best approach is to assign a unique identifier to each user that makes a purchase and store that identifier in your database. Then you can have your PayPal callback script note the payment in your database for that user. You can attach the identifier to the user with PHP sessions for single-visit methods, or make a full customer account creation system with log-ins so they can pay and download in separate visits (which can be helpful if you have a lot of failed downloads).

I'm sure if you do some searches or check the script directories, you'll be able to find many different ways of doing this securely. Good luck!
×

Success!

Help @mcco spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 6.17,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @nearjob,
tipped: article
amount: 1000 SATS,

tipper: @meenaratha,
tipped: article
amount: 1000 SATS,

tipper: @meenaratha,
tipped: article
amount: 1000 SATS,
)...