How do I control the number of downloads?

Tell me if this belongs in another category......

Here's what I want to do:

I want to offer some material through a webpage, as .htm files, probably zipped with a bunch of gifs and an index included.  A person would pay a fee, then recieve a password by email which would allow them one download that must be done by a certain date.

I know how to set up an ftp download from a webpage. How do I set it up to take passwords?  How do I allow only one download per password?  How do I make the password "expire"?

I have a shell account.

castello
castelloAsked:
Who is Participating?
 
mcriderConnect With a Mentor Commented:
castello,

You said:

  >>But how can I insure that a person only downloads one copy?  It looks like I have to search a password file to determine whether the one given is valid?  Then I would simply delete the password once it's given by the visitor, that way they couldn't use it again?


Absolutely right! When the CGI receives a valid password, it transfers the file and then removes the password from the file or database you are keeping them in.  I would suggest that passwords be something like the phone number of the individual or email address...


Cheers!®©




0
 
mcriderCommented:
I would suggest doing this via CGI script.  That way, all the user would have to do is navigate their browser to your CGI.  It would generate a page asking for a password. If the password given is valid, it generates a page for them to download the item.

Since the page only exists when the CGI creates it, just knowing the URL will not get the file...

By the way, you posted this question twice... Unless you want to loose another 200 points, I would go and delete the other question...  That question is http://www.experts-exchange.com/jsp/qShow.jsp?ta=unix&qid=10317094 


Cheers!®©
0
 
jlevieCommented:
You could use dynamically created directories, protected by .htaccess files, that contain the download data for that user. To be able to clean the data after the time period has elapsed you should use a directory name that includes date info. Then a cron script can tell when the dir should be deleted. The only problem with this approach is that the data isn't protected if the user accesses the site directly with an ftp client rather than a browser. All of the ftp access is actually through the anonymous ftp account.

A better method would be to create an encrypted download, using the password as the key. Again having date info in the file name would make cleaning of "expired downloads" easy from a cron script.
0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 
castelloAuthor Commented:
mcrider, that sounds like a good way to go.  But how can I insure that a person only downloads one copy?  It looks like I have to search a password file to determine whether the one given is valid?  Then I would simply delete the password once it's given by the visitor, that way they couldn't use it again?

I've actually set up a simple version of this using htpasswd.  And I had to do it via http, not ftp (htpasswd doesn't work for the ftp server at my ISP.  Is this normal?).  It works fine -- requires a password, but not if I go into my space via an ftp client.  Is there any way, jlevie, to prevent people from just going to my public html space and downloading the file for free?
0
 
jlevieCommented:
Not unless you use an ftp server that supports dynamically created users, probably outside of /etc/passwd, and that has the ability to restrict an ftp user to a specific dir. That's the reason I suggested using an "encrypted download". It won't stop the user from downloading the file more than once while it's on the system, but they do have to have the password to be able to decrypt the file and use the data. You can pack and encrypt the data with zip, using the password you assign to that user and the user will be prompted for the password when they unzip the file.

For what it's worth, I've used this method to distribute proprietary applications in the past.
0
 
castelloAuthor Commented:
jlevie, this does sound really secure, but I think it's way beyond my knowledge and ability at this point, and I don't think my ISP has the capability.
0
 
jlevieCommented:
Actually the only part of it that the ISP would have to have is the zip executable. There's a decent chance that it might already be there, or that they would consider installing it (you are paying for your service, after all). There would be alternatives if the download was known to be going to unix boxes, but I suspect that your targeted market is the PC world, That unfortunately restricts you to something like zip or pkzip format.
0
 
castelloAuthor Commented:
I'm not going to take this approach now, because using htpasswd is less labor intensive.  If my "venture" is successful, I will certainly go for this more secure approach.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.