What is the best way to secure access to digital files that you would like to make available for download like if you were selling a digital file (like a video) from your website?
My current implementation is this:
1) Someone buys my video
2) The buyer gets a url like this: http://www.mysite.com/download.php?token=<token>
3) The download.php script verifies that the given token is valid and that the max number of downloads using the given token is less than the max allowed (3 downloads).
4) The download.php script sets the header() to force a download then reads the video file from a non-web accessible folder on the server and echos the binary data out to the browser.
The problems I have with this are:
1) If the video file is large, the PHP script can run out of memory reading in the video file
2) If the video file is large and takes a long time to download the PHP script can time out before the download completes.
Rather than reading in the video file and echoing out the data to the browser, I could just put the video file in a web accessible folder and redirect the buyer to it. But the problems I have with that are:
1) A url like http://www.mysite.com/product/myVideo.mov does not always force a download and sometimes just plays in the browser
2) Someone could book mark the url and download the video as many times as they want or pass the link on to other people.
Are there any other solutions? What is the best way to secure a digital download, especially for large files? Thanks for the help!
Best way to secure digital downloads?
Moderator: General Moderators
Re: Best way to secure digital downloads?
I assume you're using readfile() to pass the file? That reads the whole file in first, then sends it to the browser. If you used fopen() and fread(), you could read a file piecemeal & not hit the memory limit.
The timeout is trickier. You can set the timeout to 0 with ini_set(), which effectively removes the time limit. The trouble with that is you could potentially have lots of Apache threads running. I can't think of any other method.
The timeout is trickier. You can set the timeout to 0 with ini_set(), which effectively removes the time limit. The trouble with that is you could potentially have lots of Apache threads running. I can't think of any other method.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.