Page 1 of 1
Allow a download only after someone paid?
Posted: Fri Sep 18, 2009 3:33 pm
by ChrisF79
Greetings:
I'm finishing up a site where people can buy an ebook. The payments come through and I can see that they paid and everything is good there. The question is, how do I then, and only then, allow them to download the ebook. If I have the ebook in mywebsite.com/ebook/ as an example, how would I prevent someone from just going there and downloading it? Not sure how developers usually handle this so any best practices, examples would be very helpful!
Thanks!
Re: Allow a download only after someone paid?
Posted: Fri Sep 18, 2009 3:41 pm
by tvdhoff
Hi,
I've been experimenting with something like that too.
One of the things I came up with is generating a unique identifier for each file a user has permission for and then using mod_rewrite (
http://httpd.apache.org/docs/1.3/mod/mod_rewrite.html) to link those identifiers to the actual file. This way the user doesn't get to see the actual URL and can only use his identifier, which you can revoke anytime when his alloted timeslot is up or when he doesn't pay his monthly fee or whatever.
Re: Allow a download only after someone paid?
Posted: Fri Sep 18, 2009 3:44 pm
by Eran
The most common practice is to use identifiers (hashes), but stored in a database and not through apache. The files themselves are stored outside the document root and are served through PHP which checks for valid identifier in the database (and can expire it afterwards).
Re: Allow a download only after someone paid?
Posted: Fri Sep 18, 2009 3:46 pm
by ChrisF79
pytrin wrote:The most common practice is to use identifiers (hashes), but stored in a database and not through apache. The files themselves are stored outside the document root and are served through PHP which checks for valid identifier in the database (and can expire it afterwards).
Could you give an example of this? So if I put the file outside of my public_html folder, do I just move it somewhere temporarily for them to download it and then delete it once the download is finished? I'm pretty new to this part of things.
Re: Allow a download only after someone paid?
Posted: Fri Sep 18, 2009 3:52 pm
by tvdhoff
Got a nice explanation with useable code here:
http://www.ardamis.com/2008/06/11/prote ... nique-url/
It's the same technique pytrin mentioned. Only thing to improve on this example is the protection of the key generator page.