Solved

Unique encrypted URL generation for one-time access only

Posted on 2003-10-27
10
502 Views
Last Modified: 2008-02-26
I would like to know if it is possible to do this through code or if there is any economical software available (freeware would be great) that can do this.
We would like to make certain PDF files available for sale. When the customer completes the formalities to purchase the PDF online right after his credit card is validated, we would like to display the link to the PDF file to the customer such that clicking on the link would allow the user to view the file. However, the link would have to be encrypted and it would have to be made available for one-time use only so that the link cannot be shared with anyone else.
Does anyone know how this can be done.
0
Comment
Question by:rbhatia
  • 4
  • 4
  • 2
10 Comments
 
LVL 3

Expert Comment

by:red010knight
Comment Utility
Yes there are numerous ways to do it. The questions become what platform are you using and what type of coding are you able to run? PHP and MySQL can easily handle this type of use. Both of which are free and can easily be set up on a linux/unix OS.

However, one issue that may arrise is if the buyer loses internet connection while reading the document?

Solution would be to sale it based on the user's IP address instead and have it accessible for a day or something like that.

If you have PHP and MySQL, I can give you a quick walk through on getting it to work.

let me know,
red010knight
0
 

Author Comment

by:rbhatia
Comment Utility
Don't have PHP.
Running the website on a Windows box with IIS 5.
0
 
LVL 6

Assisted Solution

by:GaryFx
GaryFx earned 25 total points
Comment Utility
Using the IP address is problematic, too, because the user may be using DHCP and could conceivably switch IP addresses.  Another solution would be to generate a cookie and use that to control access.

But note that there's no way to prevent the person from sharing the document.  I don't think there's a way to tell the Acrobat reader to not allow saving a copy of the document, and even if there were, the PDF spec is well known and someone could always write a PDF viewer that could save copies.  For that, you may need some other strategy.  A search on Google for pdf security turned up http://www.fileopen.com as one possibility.

Gary
0
 
LVL 3

Expert Comment

by:red010knight
Comment Utility
True,

The only true way to avoid the document being shared is not to sale it in the first place. But that would not accomplish the goals would it?

It really will boil down to how sensitive is the information you are saling and the purpose behind it.

More than likely you will only accomplish detering people from sharing the link. While PDF documents can be secured to a degree. One can easily paste the link into google or another file conversion/capturing program and make the document into workable data.  For this is one of the biggest challenges currently facing web security that is still being researched.

One way that might work to view the data is to set up a memberdatabase, and rather than charging by time involved you can charge for how many times the file was accessed.  Again without knowing the data, this line of security is rather hard to extrapolate and present in a way that will be useful to follow.

Stage 1- Have a membership database with a set fee. Then additional fee for each time the file is accessed.
Stage 2- Set up the database to track a member's access of files
Stage 3- Setup a monthly billing that goes in and charges for unbilled access of files the user asked for.

That's the easiest solution I can forsee with the least amount of problems involved. And perhaps a larger fee if the person wants to download the file for use with some sort of liscense agreement as to what uses they will put it through and so forth so if you find they used it you can bill them or whatever penalty you wish to impart for unathorized use of files.

Hope this information helps,
Red010Knight
0
 

Author Comment

by:rbhatia
Comment Utility
The security I'm looking for is medium level. I would like to permit people who have purchased the PDF to be able to download it and save it. However, I would not like to allow people to directly access the URL link without having paid for it. That's where I would need the encrypted link that would expire after let's say a day or so. So each time somebody purchases the PDF, they would get a unique encrypted URL that would allow them to view and download the PDF. But if they try to access the link a second time, it would take them nowhere.
Can somebody recommend code or software that I can use to achieve this ?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 3

Expert Comment

by:red010knight
Comment Utility
Unless I miss my guess, you are using a database to store the transaction thus it should be rather simple to do it this way and I will offer this in generic pseudo code setup:

In your database you should add another field that would be a unique code that is generated by the database addition. Most databases have a encryption algorithim that can be implemented during a insert call. So what I would suggest is having say the Purchase Order # and filename combined into a single string and encrypted to create an unique ID number(or key) that you can use in the link you send the customer.

The second phase would involve a processing page that takes the variable via a GET function, checks the database for the 'key' and if the 'key' was previously used or not used.
--If the 'key' was used it sends the customer to a page saying that they have already accessed this file.
--If not used, it takes the filename from the database and initiates the download through your scripts on system. And then updates the field in the database to show it has been downloaded.

This should cover the requirements of what you need to do. Sorry its not the actual code, but I am not sure of the coding platforms your system actually supports or the database you are using.

But in practice this should be straightforward setup with little complications. Hope this helps as it says it is possible to set this up using code.

Red010Knight
0
 

Author Comment

by:rbhatia
Comment Utility
That does help. However, still have a few doubts...
I'm using SQL as my database server app. What is the encryption algorithm that I can use for SQL ?
Also, when the user clicks on the encrypted link that would take him to the download page, wouldn't the actual path/URL of the file be visible to him ?
What is the script I can use such that clicking on the link would immediately trigger the download ?
0
 
LVL 3

Accepted Solution

by:
red010knight earned 100 total points
Comment Utility
SQL generally uses md5 encryption and the syntax is
  MD5('string')
You may want to verify that in your manual to double check.

As to the second part, the URL yes and no.

You should be able to set up your code to do a quick download that will auto initiate the -open - save dialogue.

On that page to make it as straightforward as possible it will need to do these things:
1>Verify the user permission to download the file
2>Transfer the file to a temp folder
3>Initiate download procedures
4>Once file is done downloading, purge the file from the system
5>redirect to a page to thank the user and express your hopes for his satisfaction or something like that.

You could setup the renaming convention to be a the buyer's initials + a portion of the file to be downloaded. So now not only do you have a unique key to access the file, you have a unique filename the user will have to use.

Javascript should be able to initiate the file download through use of open('url') or something like that.

Red010knight
0
 
LVL 6

Expert Comment

by:GaryFx
Comment Utility
MD5 is a hash, not an encryption.  For this purpose, it's probably fine since you won't need to undo it.  

Don't worry about whether or not the URL is visible, because a)  a logger (such as that included with Norton Personal Firewall) will track it any way, as will the history logs in some browsers); and b) you're going to delete the link after some time perioud anyway.

Gary
0
 

Author Comment

by:rbhatia
Comment Utility
Thank you all for your contributions !
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Boost your ability to deliver ambitious and competitive web apps by choosing the right JavaScript framework to best suit your project’s needs.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now