Page 1 of 1

Securing paid file download

Posted: Mon Jul 06, 2009 4:10 am
by durian
Hi, as a newbie to PHP security, I'm wondering if the following solution to secure paid file download is watertight:

* create a session
* create a random number, e.g. with mt_rand() and keep it as a session variable
* on payment, pass this random number to the payment service provider and have it returned on payment completion.
* on download page, check if returned value mathes random number stored in session variable.
If it does, enable file download.

Any suggestions welcome! Many thanks, Louis.

Re: Securing paid file download

Posted: Mon Jul 06, 2009 5:41 am
by kaisellgren
I don't think there's a need for random numbers here. The payment form should send the filename/id to the payment service. I don't know what payment service you are using, but I'll explain what I would do with PayPal.

1) Create a user system.
2) Create a database table similar to:

filename/id
userid

3) Create the payment form that contains the filename/id that will be sent to PayPal. PayPal's instant notification system will then alarm a script about transactions and if I receive a successful money transaction I will take a look at the filename/id that PayPal provided me and I will create a new entry to the database table:

filename/id: some_cool_file.zip
userid: 123

And now if the user 123 tries to download some_cool_file.zip he will be able to do so (you check if the record exists).

That's probably the simplest way to construct paid file downloads. You may want to think about other things such as download expiration, different prices for files, coupons, buying more files at once being cheaper, etc.

You need to be careful for implementing something like this. You wouldn't want anybody to download a file after a fraud 1 cent transaction :P

In general, I would never store something like successful payment transactions in sessions, because sessions are not meant to be a permanent data storage and get expired/destroyed at some point and what comes to security, we have not yet really dealt with security at all, this is just a planning stage we are on. You might want to ask someone to evaluate your finished work (or ask here).

Re: Securing paid file download

Posted: Tue Jul 07, 2009 2:55 am
by durian
Many thanks, Kai.