Best way to secure digital downloads?

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

Post Reply
phpoet
Forum Newbie
Posts: 1
Joined: Wed Jan 13, 2010 9:06 pm

Best way to secure digital downloads?

Post by phpoet »

What is the best way to secure access to digital files that you would like to make available for download like if you were selling a digital file (like a video) from your website?

My current implementation is this:
1) Someone buys my video
2) The buyer gets a url like this: http://www.mysite.com/download.php?token=<token>
3) The download.php script verifies that the given token is valid and that the max number of downloads using the given token is less than the max allowed (3 downloads).
4) The download.php script sets the header() to force a download then reads the video file from a non-web accessible folder on the server and echos the binary data out to the browser.

The problems I have with this are:
1) If the video file is large, the PHP script can run out of memory reading in the video file
2) If the video file is large and takes a long time to download the PHP script can time out before the download completes.

Rather than reading in the video file and echoing out the data to the browser, I could just put the video file in a web accessible folder and redirect the buyer to it. But the problems I have with that are:
1) A url like http://www.mysite.com/product/myVideo.mov does not always force a download and sometimes just plays in the browser
2) Someone could book mark the url and download the video as many times as they want or pass the link on to other people.

Are there any other solutions? What is the best way to secure a digital download, especially for large files? Thanks for the help!
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: Best way to secure digital downloads?

Post by pickle »

I assume you're using readfile() to pass the file? That reads the whole file in first, then sends it to the browser. If you used fopen() and fread(), you could read a file piecemeal & not hit the memory limit.

The timeout is trickier. You can set the timeout to 0 with ini_set(), which effectively removes the time limit. The trouble with that is you could potentially have lots of Apache threads running. I can't think of any other method.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
Post Reply