Solved

Unique encrypted URL generation for one-time access only

Posted on 2003-10-27
10
507 Views
Last Modified: 2008-02-26
I would like to know if it is possible to do this through code or if there is any economical software available (freeware would be great) that can do this.
We would like to make certain PDF files available for sale. When the customer completes the formalities to purchase the PDF online right after his credit card is validated, we would like to display the link to the PDF file to the customer such that clicking on the link would allow the user to view the file. However, the link would have to be encrypted and it would have to be made available for one-time use only so that the link cannot be shared with anyone else.
Does anyone know how this can be done.
0
Comment
Question by:rbhatia
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
10 Comments
 
LVL 3

Expert Comment

by:red010knight
ID: 9630450
Yes there are numerous ways to do it. The questions become what platform are you using and what type of coding are you able to run? PHP and MySQL can easily handle this type of use. Both of which are free and can easily be set up on a linux/unix OS.

However, one issue that may arrise is if the buyer loses internet connection while reading the document?

Solution would be to sale it based on the user's IP address instead and have it accessible for a day or something like that.

If you have PHP and MySQL, I can give you a quick walk through on getting it to work.

let me know,
red010knight
0
 

Author Comment

by:rbhatia
ID: 9630541
Don't have PHP.
Running the website on a Windows box with IIS 5.
0
 
LVL 6

Assisted Solution

by:GaryFx
GaryFx earned 25 total points
ID: 9631125
Using the IP address is problematic, too, because the user may be using DHCP and could conceivably switch IP addresses.  Another solution would be to generate a cookie and use that to control access.

But note that there's no way to prevent the person from sharing the document.  I don't think there's a way to tell the Acrobat reader to not allow saving a copy of the document, and even if there were, the PDF spec is well known and someone could always write a PDF viewer that could save copies.  For that, you may need some other strategy.  A search on Google for pdf security turned up http://www.fileopen.com as one possibility.

Gary
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 3

Expert Comment

by:red010knight
ID: 9631271
True,

The only true way to avoid the document being shared is not to sale it in the first place. But that would not accomplish the goals would it?

It really will boil down to how sensitive is the information you are saling and the purpose behind it.

More than likely you will only accomplish detering people from sharing the link. While PDF documents can be secured to a degree. One can easily paste the link into google or another file conversion/capturing program and make the document into workable data.  For this is one of the biggest challenges currently facing web security that is still being researched.

One way that might work to view the data is to set up a memberdatabase, and rather than charging by time involved you can charge for how many times the file was accessed.  Again without knowing the data, this line of security is rather hard to extrapolate and present in a way that will be useful to follow.

Stage 1- Have a membership database with a set fee. Then additional fee for each time the file is accessed.
Stage 2- Set up the database to track a member's access of files
Stage 3- Setup a monthly billing that goes in and charges for unbilled access of files the user asked for.

That's the easiest solution I can forsee with the least amount of problems involved. And perhaps a larger fee if the person wants to download the file for use with some sort of liscense agreement as to what uses they will put it through and so forth so if you find they used it you can bill them or whatever penalty you wish to impart for unathorized use of files.

Hope this information helps,
Red010Knight
0
 

Author Comment

by:rbhatia
ID: 9633491
The security I'm looking for is medium level. I would like to permit people who have purchased the PDF to be able to download it and save it. However, I would not like to allow people to directly access the URL link without having paid for it. That's where I would need the encrypted link that would expire after let's say a day or so. So each time somebody purchases the PDF, they would get a unique encrypted URL that would allow them to view and download the PDF. But if they try to access the link a second time, it would take them nowhere.
Can somebody recommend code or software that I can use to achieve this ?
0
 
LVL 3

Expert Comment

by:red010knight
ID: 9635615
Unless I miss my guess, you are using a database to store the transaction thus it should be rather simple to do it this way and I will offer this in generic pseudo code setup:

In your database you should add another field that would be a unique code that is generated by the database addition. Most databases have a encryption algorithim that can be implemented during a insert call. So what I would suggest is having say the Purchase Order # and filename combined into a single string and encrypted to create an unique ID number(or key) that you can use in the link you send the customer.

The second phase would involve a processing page that takes the variable via a GET function, checks the database for the 'key' and if the 'key' was previously used or not used.
--If the 'key' was used it sends the customer to a page saying that they have already accessed this file.
--If not used, it takes the filename from the database and initiates the download through your scripts on system. And then updates the field in the database to show it has been downloaded.

This should cover the requirements of what you need to do. Sorry its not the actual code, but I am not sure of the coding platforms your system actually supports or the database you are using.

But in practice this should be straightforward setup with little complications. Hope this helps as it says it is possible to set this up using code.

Red010Knight
0
 

Author Comment

by:rbhatia
ID: 9635792
That does help. However, still have a few doubts...
I'm using SQL as my database server app. What is the encryption algorithm that I can use for SQL ?
Also, when the user clicks on the encrypted link that would take him to the download page, wouldn't the actual path/URL of the file be visible to him ?
What is the script I can use such that clicking on the link would immediately trigger the download ?
0
 
LVL 3

Accepted Solution

by:
red010knight earned 100 total points
ID: 9636642
SQL generally uses md5 encryption and the syntax is
  MD5('string')
You may want to verify that in your manual to double check.

As to the second part, the URL yes and no.

You should be able to set up your code to do a quick download that will auto initiate the -open - save dialogue.

On that page to make it as straightforward as possible it will need to do these things:
1>Verify the user permission to download the file
2>Transfer the file to a temp folder
3>Initiate download procedures
4>Once file is done downloading, purge the file from the system
5>redirect to a page to thank the user and express your hopes for his satisfaction or something like that.

You could setup the renaming convention to be a the buyer's initials + a portion of the file to be downloaded. So now not only do you have a unique key to access the file, you have a unique filename the user will have to use.

Javascript should be able to initiate the file download through use of open('url') or something like that.

Red010knight
0
 
LVL 6

Expert Comment

by:GaryFx
ID: 9639264
MD5 is a hash, not an encryption.  For this purpose, it's probably fine since you won't need to undo it.  

Don't worry about whether or not the URL is visible, because a)  a logger (such as that included with Norton Personal Firewall) will track it any way, as will the history logs in some browsers); and b) you're going to delete the link after some time perioud anyway.

Gary
0
 

Author Comment

by:rbhatia
ID: 9644193
Thank you all for your contributions !
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
PHP Curl to output a url 7 123
How do I step through page code and see what a page renders for each line/element? 4 51
Designing forms 3 70
Secure log in 'box' 4 43
FAQ pages provide a simple way for you to supply and for customers to find answers to the most common questions about your company. Here are six reasons why your company website should have a FAQ page
Color can increase conversions, create feelings of warmth or even incite people to get behind a cause. If you want your website to really impact site visitors, then it is vital to consider the impact color has on them.
The viewer will get a basic understanding of what section 508 compliance can entail, learn about skip navigation links, alt text, transcripts, and font size controls.
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question