Topic awaiting preservation: Secure way to allow downloads? (Page 1 of 1)

Hi all,
I am working on an ecommerce site that will sell "information/downloads".. So from what I can gather its substantially different from a site that offers "physical products"...

What I need to happen is the user finds the document they want, clicks the 'buy now' button goes through the CC bit - on success it returns them back to my site and presents them with the file to download.

The site will be using both verisgn and paypal, from what I have read verisign actually passes variables back through POST, same as when you submit a form etc. Paypal however you can put in the return URL on success for each 'buy now' button.


A normal purchase is a bit different I think since you:
1. Select your products
2. Enter your CC information
3. The merchant gets the order, checks the CC went through fine
4. The merchant sends you the goods.

In my situation:
1. Select your download
2. Enter your CC information
3. On success the file download will start.


The overall problem is - how to stop people downloading a file when they havnt payed for it. For verisign this will rely on the POST variables (im not sure, but can these be faked somehow? can you send a "success" post to that page - since it comes from somewhere else all they have to do is have a remote form with the post vars and send it) im not sure if they can find out what post vars are on the current page without server side access however?

With paypal it will be about the custom url, im not sure if im allowed but it will have to be a url like mysite.com?fileid=66&success=1 , Obviously anyone seeing those vars in the URL can click on to the fact that they could then download any file by changing the fileid in the string.


So .... has anyone worked with this before/has suggestions or knows a good way to do it. Thanks

What you need for absolute security is some verification process direct with the payment processor. There is no information that you receive from the browser that can be trusted. Instead you have to take the information given, request verification from PayPal or whatever through the back-end and only then grant access.

Unfortunately I've never done this, so I can't help you, but PayPal has got to have something like that available.

-jiblet

I am going to make a couple of assumption that after the purchase goes through you are not worried about someone jumping into the user's stream to hijack the download.

What I might try would be a scheme along these lines (I am assuming that you are sending data to your MA and the MA just returns them to a supplied URL).

1) User asks to buy the doc
2) Register the user on your server
3) Create a random download URL to tack onto the request for the return, tie it to the user's IP address.
4) User gets sent offsite to pay
4.1) If the MA returns a sucess to your server, only activate the link if this occurs.
5) User is returned to the random URL after payment.

Note: This can get hacked, if you are not getting a sucessful transaction message returned to your server, and you are not sending the random URL to your MA so that the user can not see it.

Lets try an example.

User clicks "Buy Doc 1"
The Server creates a url http://www.yoursite.com/downloaddoc.php?documentid=[randomasciistring]&ip=[ipaddress]
Store randomstring and IP in your database as a field linked to the transaction
Send the URL to the MA
Send the USER to pay
server gets payment sucessful message
Store boolean sucess value into the database linked to the transaction
MA returns user to the supplied URL
Server checks documentid, ip, and sucess, if the are all correct, output the file to be downloaded through your script.

I would also tack on a condition that tracks the times downloaded, and the time after the transaction. I would clear stop allowing the download after 24 hours, and after a given number of attempts. When an attempt is made on the correct URL after these fails happen you need to give them output that tells them to contact you if they are having problems. You will then have to manually verify them, and the reason they need the file after the experation, and send it to them over a different channel or revalidate their session.

It shouldn't be all that complex, but how your MA does things is important, and might make security impossible.

Dan @ Code Town

Thanks for that, in the end I was thinking along those lines.

There will be two methods of payment, verisign and paypal. It looks like verisign can send back POST data, and alot of it - including roughly 10 custom values that I can spevify in the "buy" link.

Paypal it looks like i can put a return URL in the "buy" link, and it only goes here if the payment was a success.

The other thing is I will do activation by email, so the start of the return script will send the email with the activation link.

Now the verisign one should be relatively safe, i get success in the post variables (im not sure if people can somehow make these up) but I can also check the referer an make sure its from the verisign place as a security measure.

The paypal one however, because the success URL is in the button link they would be able to copy& paste that to simulate success... So to avoid this I gues when they click the "buy" button I should probably use a php redirect to send the button link - if this is possible? Im not sure how else I can make the url secret?

What do you think?

Both sound insecure. Sending something in a post variable, would have to go via the client. Just because it isn't in the URL, doesn't mean that it is not in the header.

The activation link in the email if done correctly could also offer some additional security. And could potensially make it loads safer.

When you are done with the site, if you post it here with some test data I am sure that a couple of people would be willing to give you 5 minutes to see if they can break in.

If it takes more effort than 5 minutes to figure out how to crack it you are pretty safe.

If your site gets popular enough where you have to worry about a dedicated hacker affecting your resume stream you are most likely making enough money so that you will be working with a MA who will be doing all these transactions via sockets.

The use of the redirect might be a bad idea, because it gives a common location for the user to hit.

In the end without doing everything on your end, or having a secure socket connection between you and the MA you are not going to be able to get good security because you can not verify the transaction before supplying the goods.

Dan @ Code Town

Mmm thanks War.. i see what you mean. There was one other option that verisign had (but not paypal) - called silent post, where it sends the results to the server only. However i think the results were limited and only a few bits of data such as success, not sure how I can determine which product to allow download for in that case...

I will post the site once I have the test gateway up since you can do test CC transaction - cheers for the thoughts

You would have to read over their docs, but you would send your details to them via a socket, and then wait for a response.

That is how things like that normally work.

Dan @ Code Town

i think probably because this is their cheapest option etc, it is more limited. And well paypal.... not sure if they even have that option

The last time I dealt with a shopping cart had to be 4 or 5 years ago, so I am not up on everything that is going on with them, but I have heard of sites specifically designed to sell and send downloads for people. Maybe an option like that would be good for you.

A quick google search brought up a site called PayLoadz.com which does what you are looking for, and they have freeish accounts, you might want to look into something of that nature. Make sure to check out the news groups for opinions of the services out there.

Dan @ Code Town

I'd go the route of sending a download link after the processing has occured. Tie the link to a particular "account" and just let them download it for a small window once they get to the site. You can also lock this to an IP if you want but that method gets problematic for people behind corporate NAT's etc. Granted they can give someone else the URL and account info but since you're letting people download stuff anyway they can pretty much redistribute at will.



.:[ Never resist a perfect moment ]:.