Controlling download access
by Sean H. · in Technical Issues · 05/05/2006 (1:16 pm) · 7 replies
At some point in the future I would like to do some online merchandising of my gaming software. I already have a domain for my site, but unfortunately they seriously limit the size of file uploads. basically this service is to be used mainly for the site itself and not for hosting large files. I've decided to go with a separate provider for large file hosting.
for the web gurus out there, if I go with a scheme like this is there any way to control access to the download URL or content? I guess what I'm asking is, do companies which do large file hosting usually support some kind of mechanism for limiting or controlling downloads? the scenario I would like to avoid is giving customers access to a download URL which could actually be used by anyone to download.
I know it would be alot easier if my web host and file host were the same provider. but if I go with separate providers for each would I still be able to control who can and cannot download my games? I know this is largely dependent on the file host, I'm just kinda curious if there are ways of achieving this and what kinds of questions I should be asking potential providers.
thanks!
for the web gurus out there, if I go with a scheme like this is there any way to control access to the download URL or content? I guess what I'm asking is, do companies which do large file hosting usually support some kind of mechanism for limiting or controlling downloads? the scenario I would like to avoid is giving customers access to a download URL which could actually be used by anyone to download.
I know it would be alot easier if my web host and file host were the same provider. but if I go with separate providers for each would I still be able to control who can and cannot download my games? I know this is largely dependent on the file host, I'm just kinda curious if there are ways of achieving this and what kinds of questions I should be asking potential providers.
thanks!
#2
could someone explain how to code something like this? I don't need any actual code, but a high level explanation of how a server would associate a generated random code with something placed in a server directory. would a new directory have to be created which matches the randomly generated url and the product placed in that directory temporarily? or would the randomly generated code reference a page which redirects the user to the downloadable product? I do know a fair amount about html, forms, and server scripting so I'm not a total noob, but I've never tried to implement something like this. I've seen a number of commercial products which manage downloadable content for you, but they're all just server scripts. if possible, I'd like to write my own custom solution rather than paying for php scripts.
05/09/2006 (6:45 am)
Quote:You would provde your Client with an expiring download URL, which is randomly generated on the server.
could someone explain how to code something like this? I don't need any actual code, but a high level explanation of how a server would associate a generated random code with something placed in a server directory. would a new directory have to be created which matches the randomly generated url and the product placed in that directory temporarily? or would the randomly generated code reference a page which redirects the user to the downloadable product? I do know a fair amount about html, forms, and server scripting so I'm not a total noob, but I've never tried to implement something like this. I've seen a number of commercial products which manage downloadable content for you, but they're all just server scripts. if possible, I'd like to write my own custom solution rather than paying for php scripts.
#3
-
For example:
So client clicks a link to gen_download.php which generates a passcode and adds it to the database, with a file or directory name, unique id, passcode and a expire time.
They then get forwarded to download.php?passcode=NJD348u890efjj0f, which would look for the passcode in a database. If the expire time is more than the current date, the client will be asked to download. If it isn't available to download, the client would get a message saying "Download Expired".
You would also want to log all download attempts with IP addresses and times in a seperate table or log file. :)
- Tom.
Edit:
The download.php script would find the passcode record in the database, and look for the filename in the same record. It would then offer than filename for download, by generating download headers, and offering the file in the headers.
Edit 2:
If you're going to write your own scripts, well and good.
Though, a good alternative would be something like PHPAudit which can handle all this for you. :)
05/09/2006 (6:55 am)
As Mincetro said, you would do something like:Quote:You could also use a cookie system to restrict access, so our client would click 'Downlad', It would generate a random passkey, apply that to a directory name, you'd have a function that checks if the cookie matches the URL, if its good it'll download otherwise it redirects.
-
For example:
So client clicks a link to gen_download.php which generates a passcode and adds it to the database, with a file or directory name, unique id, passcode and a expire time.
They then get forwarded to download.php?passcode=NJD348u890efjj0f, which would look for the passcode in a database. If the expire time is more than the current date, the client will be asked to download. If it isn't available to download, the client would get a message saying "Download Expired".
You would also want to log all download attempts with IP addresses and times in a seperate table or log file. :)
- Tom.
Edit:
The download.php script would find the passcode record in the database, and look for the filename in the same record. It would then offer than filename for download, by generating download headers, and offering the file in the headers.
Edit 2:
If you're going to write your own scripts, well and good.
Though, a good alternative would be something like PHPAudit which can handle all this for you. :)
#4
First i create a directory on the server which holds the file i want to control download access too.
Let's call this folder "stuff"
Then i edit my apache configuration by adding a cookie control for the folder like so:
For me, i just edit the httpd.conf file for my server. Ask your webhost how to do this.
Now if anyone tries to access anything in my stuff folder, they can only do so if they have a cookie named "stuff"
Now all you have to do is write a cookie to the browser you want to have access to the folder.
Cookies can be written in javascript, perl, php, just about any scripting language. Also you can control how long they have access to the folder by setting a cookie expire date.
05/09/2006 (7:08 am)
Here's how i do it everyday. First i create a directory on the server which holds the file i want to control download access too.
Let's call this folder "stuff"
Then i edit my apache configuration by adding a cookie control for the folder like so:
For me, i just edit the httpd.conf file for my server. Ask your webhost how to do this.
SetEnvIf Cookie "stuff" acstuff <Directory /var/www/your/domain.com/www/downloads/stuff/> order deny,allow deny from all Allow from env=acstuff </Directory>
Now if anyone tries to access anything in my stuff folder, they can only do so if they have a cookie named "stuff"
Now all you have to do is write a cookie to the browser you want to have access to the folder.
Cookies can be written in javascript, perl, php, just about any scripting language. Also you can control how long they have access to the folder by setting a cookie expire date.
#5
Plus, using scripts can be automatic. Another way would be to write .htaccess files....
05/09/2006 (7:14 am)
James, some people don't have httpd.conf available to edit on their servers. They may not be dedicated. Instead, they may be running off of a shared environment.Plus, using scripts can be automatic. Another way would be to write .htaccess files....
#6
Tom I plan to use fileburst.com for my file hosting and their service does support .htaccess files but I don't think theyre applicable to this situation. The impression I got was that .htaccess files were used for blocking particular domains from accessing your files. In other words, access is granted as long as the source doesn't happen to be one of those listed in the .htaccess file. what i'm interested in is the opposite, access to all users is blocked with a script granting access to certain users. I think .htaccess files are mainly for blocking known hackers and illegal distribution channels.
05/09/2006 (8:00 am)
Thanks to all for the enlightenment. I understand much better now. I'm considering the best way to do this, with minimal effort and commitment from the customer. a cookie-based solution would seem to be the easiest and most straightforward, but it would involve some trouble if the user happens to change computers, wipes their cookies, or buys a new computer and doesn't know why the download's not working anymore. A passcode-database solution seems to be more involved and complicated to write, but would be adequate and a bit more flexible. a hybrid solution perhaps? It seems like the main difficulty is not in the first offering, but coming up with a scheme of allowing the user continued access to the product without requiring that the customer create an account or provide an email. customers want instant gratification when theyre paying for a product and I would like to provide this kind of instant service without any kind of commitment or personal information.Tom I plan to use fileburst.com for my file hosting and their service does support .htaccess files but I don't think theyre applicable to this situation. The impression I got was that .htaccess files were used for blocking particular domains from accessing your files. In other words, access is granted as long as the source doesn't happen to be one of those listed in the .htaccess file. what i'm interested in is the opposite, access to all users is blocked with a script granting access to certain users. I think .htaccess files are mainly for blocking known hackers and illegal distribution channels.
#7
You can do what James did, or you can use .htaccess username and password combination access - though you have to either write a script or create them manually.
If I was going to do something like this, without having the user to signup, would be to use a passcode system. They are pretty simple.
You might want to reconsider not making a user signup. Making a user signup for an account with a valid email and perhaps display their address of payment, telephone etc, may minimise the chance that they will post the download link (as people would have to login to the persons account) publically.
:)
- Tom.
05/09/2006 (8:13 am)
.htaccess can be used to allow and deny access.You can do what James did, or you can use .htaccess username and password combination access - though you have to either write a script or create them manually.
If I was going to do something like this, without having the user to signup, would be to use a passcode system. They are pretty simple.
You might want to reconsider not making a user signup. Making a user signup for an account with a valid email and perhaps display their address of payment, telephone etc, may minimise the chance that they will post the download link (as people would have to login to the persons account) publically.
:)
- Tom.
Torque 3D Owner iHugMedia
You could also use a cookie system to restrict access, so our client would click 'Downlad', It would generate a random passkey, apply that to a directory name, you'd have a function that checks if the cookie matches the URL, if its good it'll download otherwise it redirects.