Securing paid file download

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
durian
Forum Newbie
Posts: 2
Joined: Mon Jul 06, 2009 3:56 am

Securing paid file download

Post by durian »

Hi, as a newbie to PHP security, I'm wondering if the following solution to secure paid file download is watertight:

* create a session
* create a random number, e.g. with mt_rand() and keep it as a session variable
* on payment, pass this random number to the payment service provider and have it returned on payment completion.
* on download page, check if returned value mathes random number stored in session variable.
If it does, enable file download.

Any suggestions welcome! Many thanks, Louis.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Securing paid file download

Post by kaisellgren »

I don't think there's a need for random numbers here. The payment form should send the filename/id to the payment service. I don't know what payment service you are using, but I'll explain what I would do with PayPal.

1) Create a user system.
2) Create a database table similar to:

filename/id
userid

3) Create the payment form that contains the filename/id that will be sent to PayPal. PayPal's instant notification system will then alarm a script about transactions and if I receive a successful money transaction I will take a look at the filename/id that PayPal provided me and I will create a new entry to the database table:

filename/id: some_cool_file.zip
userid: 123

And now if the user 123 tries to download some_cool_file.zip he will be able to do so (you check if the record exists).

That's probably the simplest way to construct paid file downloads. You may want to think about other things such as download expiration, different prices for files, coupons, buying more files at once being cheaper, etc.

You need to be careful for implementing something like this. You wouldn't want anybody to download a file after a fraud 1 cent transaction :P

In general, I would never store something like successful payment transactions in sessions, because sessions are not meant to be a permanent data storage and get expired/destroyed at some point and what comes to security, we have not yet really dealt with security at all, this is just a planning stage we are on. You might want to ask someone to evaluate your finished work (or ask here).
durian
Forum Newbie
Posts: 2
Joined: Mon Jul 06, 2009 3:56 am

Re: Securing paid file download

Post by durian »

Many thanks, Kai.
Post Reply