[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 200
  • Last Modified:

How do I control the number of downloads?

Tell me if this belongs in another category......

Here's what I want to do:

I want to offer some material through a webpage, as .htm files, probably zipped with a bunch of gifs and an index included.  A person would pay a fee, then recieve a password by email which would allow them one download that must be done by a certain date.

I know how to set up an ftp download from a webpage. How do I set it up to take passwords?  How do I allow only one download per password?  How do I make the password "expire"?

I have a shell account.

castello
0
castello
Asked:
castello
  • 3
  • 3
  • 2
1 Solution
 
mcriderCommented:
I would suggest doing this via CGI script.  That way, all the user would have to do is navigate their browser to your CGI.  It would generate a page asking for a password. If the password given is valid, it generates a page for them to download the item.

Since the page only exists when the CGI creates it, just knowing the URL will not get the file...

By the way, you posted this question twice... Unless you want to loose another 200 points, I would go and delete the other question...  That question is http://www.experts-exchange.com/jsp/qShow.jsp?ta=unix&qid=10317094 


Cheers!®©
0
 
jlevieCommented:
You could use dynamically created directories, protected by .htaccess files, that contain the download data for that user. To be able to clean the data after the time period has elapsed you should use a directory name that includes date info. Then a cron script can tell when the dir should be deleted. The only problem with this approach is that the data isn't protected if the user accesses the site directly with an ftp client rather than a browser. All of the ftp access is actually through the anonymous ftp account.

A better method would be to create an encrypted download, using the password as the key. Again having date info in the file name would make cleaning of "expired downloads" easy from a cron script.
0
 
castelloAuthor Commented:
mcrider, that sounds like a good way to go.  But how can I insure that a person only downloads one copy?  It looks like I have to search a password file to determine whether the one given is valid?  Then I would simply delete the password once it's given by the visitor, that way they couldn't use it again?

I've actually set up a simple version of this using htpasswd.  And I had to do it via http, not ftp (htpasswd doesn't work for the ftp server at my ISP.  Is this normal?).  It works fine -- requires a password, but not if I go into my space via an ftp client.  Is there any way, jlevie, to prevent people from just going to my public html space and downloading the file for free?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
jlevieCommented:
Not unless you use an ftp server that supports dynamically created users, probably outside of /etc/passwd, and that has the ability to restrict an ftp user to a specific dir. That's the reason I suggested using an "encrypted download". It won't stop the user from downloading the file more than once while it's on the system, but they do have to have the password to be able to decrypt the file and use the data. You can pack and encrypt the data with zip, using the password you assign to that user and the user will be prompted for the password when they unzip the file.

For what it's worth, I've used this method to distribute proprietary applications in the past.
0
 
castelloAuthor Commented:
jlevie, this does sound really secure, but I think it's way beyond my knowledge and ability at this point, and I don't think my ISP has the capability.
0
 
jlevieCommented:
Actually the only part of it that the ISP would have to have is the zip executable. There's a decent chance that it might already be there, or that they would consider installing it (you are paying for your service, after all). There would be alternatives if the download was known to be going to unix boxes, but I suspect that your targeted market is the PC world, That unfortunately restricts you to something like zip or pkzip format.
0
 
mcriderCommented:
castello,

You said:

  >>But how can I insure that a person only downloads one copy?  It looks like I have to search a password file to determine whether the one given is valid?  Then I would simply delete the password once it's given by the visitor, that way they couldn't use it again?


Absolutely right! When the CGI receives a valid password, it transfers the file and then removes the password from the file or database you are keeping them in.  I would suggest that passwords be something like the phone number of the individual or email address...


Cheers!®©




0
 
castelloAuthor Commented:
I'm not going to take this approach now, because using htpasswd is less labor intensive.  If my "venture" is successful, I will certainly go for this more secure approach.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 3
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now