Unique encrypted URL generation for one-time access only

I would like to know if it is possible to do this through code or if there is any economical software available (freeware would be great) that can do this.
We would like to make certain PDF files available for sale. When the customer completes the formalities to purchase the PDF online right after his credit card is validated, we would like to display the link to the PDF file to the customer such that clicking on the link would allow the user to view the file. However, the link would have to be encrypted and it would have to be made available for one-time use only so that the link cannot be shared with anyone else.
Does anyone know how this can be done.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Yes there are numerous ways to do it. The questions become what platform are you using and what type of coding are you able to run? PHP and MySQL can easily handle this type of use. Both of which are free and can easily be set up on a linux/unix OS.

However, one issue that may arrise is if the buyer loses internet connection while reading the document?

Solution would be to sale it based on the user's IP address instead and have it accessible for a day or something like that.

If you have PHP and MySQL, I can give you a quick walk through on getting it to work.

let me know,
rbhatiaAuthor Commented:
Don't have PHP.
Running the website on a Windows box with IIS 5.
Using the IP address is problematic, too, because the user may be using DHCP and could conceivably switch IP addresses.  Another solution would be to generate a cookie and use that to control access.

But note that there's no way to prevent the person from sharing the document.  I don't think there's a way to tell the Acrobat reader to not allow saving a copy of the document, and even if there were, the PDF spec is well known and someone could always write a PDF viewer that could save copies.  For that, you may need some other strategy.  A search on Google for pdf security turned up http://www.fileopen.com as one possibility.

Become a Certified Penetration Testing Engineer

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.


The only true way to avoid the document being shared is not to sale it in the first place. But that would not accomplish the goals would it?

It really will boil down to how sensitive is the information you are saling and the purpose behind it.

More than likely you will only accomplish detering people from sharing the link. While PDF documents can be secured to a degree. One can easily paste the link into google or another file conversion/capturing program and make the document into workable data.  For this is one of the biggest challenges currently facing web security that is still being researched.

One way that might work to view the data is to set up a memberdatabase, and rather than charging by time involved you can charge for how many times the file was accessed.  Again without knowing the data, this line of security is rather hard to extrapolate and present in a way that will be useful to follow.

Stage 1- Have a membership database with a set fee. Then additional fee for each time the file is accessed.
Stage 2- Set up the database to track a member's access of files
Stage 3- Setup a monthly billing that goes in and charges for unbilled access of files the user asked for.

That's the easiest solution I can forsee with the least amount of problems involved. And perhaps a larger fee if the person wants to download the file for use with some sort of liscense agreement as to what uses they will put it through and so forth so if you find they used it you can bill them or whatever penalty you wish to impart for unathorized use of files.

Hope this information helps,
rbhatiaAuthor Commented:
The security I'm looking for is medium level. I would like to permit people who have purchased the PDF to be able to download it and save it. However, I would not like to allow people to directly access the URL link without having paid for it. That's where I would need the encrypted link that would expire after let's say a day or so. So each time somebody purchases the PDF, they would get a unique encrypted URL that would allow them to view and download the PDF. But if they try to access the link a second time, it would take them nowhere.
Can somebody recommend code or software that I can use to achieve this ?
Unless I miss my guess, you are using a database to store the transaction thus it should be rather simple to do it this way and I will offer this in generic pseudo code setup:

In your database you should add another field that would be a unique code that is generated by the database addition. Most databases have a encryption algorithim that can be implemented during a insert call. So what I would suggest is having say the Purchase Order # and filename combined into a single string and encrypted to create an unique ID number(or key) that you can use in the link you send the customer.

The second phase would involve a processing page that takes the variable via a GET function, checks the database for the 'key' and if the 'key' was previously used or not used.
--If the 'key' was used it sends the customer to a page saying that they have already accessed this file.
--If not used, it takes the filename from the database and initiates the download through your scripts on system. And then updates the field in the database to show it has been downloaded.

This should cover the requirements of what you need to do. Sorry its not the actual code, but I am not sure of the coding platforms your system actually supports or the database you are using.

But in practice this should be straightforward setup with little complications. Hope this helps as it says it is possible to set this up using code.

rbhatiaAuthor Commented:
That does help. However, still have a few doubts...
I'm using SQL as my database server app. What is the encryption algorithm that I can use for SQL ?
Also, when the user clicks on the encrypted link that would take him to the download page, wouldn't the actual path/URL of the file be visible to him ?
What is the script I can use such that clicking on the link would immediately trigger the download ?
SQL generally uses md5 encryption and the syntax is
You may want to verify that in your manual to double check.

As to the second part, the URL yes and no.

You should be able to set up your code to do a quick download that will auto initiate the -open - save dialogue.

On that page to make it as straightforward as possible it will need to do these things:
1>Verify the user permission to download the file
2>Transfer the file to a temp folder
3>Initiate download procedures
4>Once file is done downloading, purge the file from the system
5>redirect to a page to thank the user and express your hopes for his satisfaction or something like that.

You could setup the renaming convention to be a the buyer's initials + a portion of the file to be downloaded. So now not only do you have a unique key to access the file, you have a unique filename the user will have to use.

Javascript should be able to initiate the file download through use of open('url') or something like that.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MD5 is a hash, not an encryption.  For this purpose, it's probably fine since you won't need to undo it.  

Don't worry about whether or not the URL is visible, because a)  a logger (such as that included with Norton Personal Firewall) will track it any way, as will the history logs in some browsers); and b) you're going to delete the link after some time perioud anyway.

rbhatiaAuthor Commented:
Thank you all for your contributions !
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Development

From novice to tech pro — start learning today.