Thread: download page

Is there a way of protecting the download page so that people who have downloaded the e-book once cannot download again?

If they are taken to a protected page, they shouldn't be able to get there again without purchasing again. But if they already downloaded it and have a copy - why would they download it again?

I don't worry about this on my site, as Beth says why would they go there again. They would also not bother to pass the address on to others as they could easily just pass the e-book on, which happens if we like it or not.

Some things are just not worth losing sleep over and this is one of them.

Don't worry about it.

Paul

Thank you. You are right. This isn't something I should worry about.

I would say the page needs to be protected as i have found pages indexed by the search engines which are meant for purchases only. A way to overcome this tho is to add the page into the robots txt but it would not stop people pasting the page address as again i have seen done before. so protection all the way i say.Normally php coding is quite good for this as you can then keep the download files out of the public_html folder by creating a download link to the file which is temporary and therefore out of reach of people who haven't paid. cubecard (found in cpanel) is quite good for this type of thing.

Its not in the public folder and it is a php page...........and it cannot be accessed until someone has paid.

ScubaDiver:

I am currently selling e-books for two of our forum members with another three in the pipline.
Visit Your Local E-Book Centre and take a look at http://e-books.bluevodaforms.com/willsinfo.html and Choose your Childs Future Health.

If you like what you see, and wish me to market your E-Book, contact me through the site contact form...............
__________________

I just looked at my stats and it said that the download page has been accessed 20 times. I haven't made that many sales yet. How does this happen?

We did quite a bit of testing, have you checked the dates ??

It doesn't say on what days it was accessed. I guess there is nothing I can do about it.

You have it protected, right? It's not just a page anyone can get and it's not a page that search engines will spider and find, right?

As to 20 times - I know I was there once, maybe twice when we were working.

Ok, CiCi's download page is NOT protected. It simply is the last page in a sequense of Payment - returnpage (from PayPal) with a survey form in it and finaly the download page. So, it can be accessed by anyone, if the link is available through some SE indexing.

Please note that PDF's are also indexable by Google and other SE, as long as there are links from a page to them.

The ONLY way to protect a download, is NOT having any links to it, and NOT having the file on the site. This is done by

1. Generating the link to the file dynamically: this means that a verification script is needed, that will check with PayPal the payment details, and if everything is ok, will display the link to download.
2. The file it self is NOT on the site but in the database, so it cannot be indexed or accessed by anyone if the the script doesn't display the link to it.

Downloading the file from the database with such a procedure involves also a special download script.

This is more or less the core of our Instant Download Cart (which also allowes client info tracing, order details, payment details etc. to be stored and viewed in the database)

Naval; I agree with some of what you say, but there are millions of sites that do NOT use databased download links.

Also if a page is protected, some people have a problem when being returned by paypal for the download.

The problem of Google can be overcome by putting NO FOLLOW in the return PHP page and the download pages, and if these download pages are not linked or published anywhere else on the site, then no problems should arise.

It is also quite easy to change the actual download page at times so that it can ONLY be accessed from the return page, and as
the return page from CICI´s payment merchant is encrypted, then no one knows where that page is.
Unless you paid to see this page, how did you know that it was a thankyou and survey page? and I dont think CICI will thank you
for making that public................

When you say that the links cannot be accessed simply because they are in a database, then that is not strictly true....There are ways and means of accessing databases without knowing the password, as you well should know.

I do agree though, that the more security you have, the better.............

yours cordially

Hi David, good to have an exchange of opinions.

Ok, let's see your points:

I agree with some of what you say, but there are millions of sites that do NOT use databased download links.

Yes, true. As long as it is a couple of files, then yes, that's acceptable. If you make a living by selling sogtware or images or e-books, you certainly do not leave these links in the air.

Also if a page is protected, some people have a problem when being returned by paypal for the download.

Protection in this case doesn't mean having a pass protection It means a whatever protection, usually by verifying the payment with PayPal. A simple protection, which does not require information from PayPal, is to see if the link that has led to the page, truelike. (The links from PayPal are of a certain type). This will at least protect you from amateur attempts of illegal download.

The problem of Google can be overcome by putting NO FOLLOW in the return PHP page and the download pages, and if these download pages are not linked or published anywhere else on the site, then no problems should arise.

Not 100% True (in my opinion) . I don't know how and why, but Google has found many of my "hidden" (meaning without links to them) PDF's that i uploaded on my site for my client's to access simply giving them the direct link.


It is also quite easy to change the actual download page at times so that it can ONLY be accessed from the return page, and as the return page from CICI´s payment merchant is encrypted, then no one knows where that page is.

Correct. Only that i (personally) don't like to change my return page every once in while. I prefer spending my time in other things.


Unless you paid to see this page, how did you know that it was a thankyou and survey page? and I dont think CICI will thank you for making that public................

Beacuse i have built that page. And, i didn't make the link (with that strange name) public. And, remember, CiCi is worried about his security, since the page has been accessed a number of times. I will now set it so that the page is protected (using the IDC core for this purpose).

When you say that the links cannot be accessed simply because they are in a database, then that is not strictly true....There are ways and means of accessing databases without knowing the password, as you well should know.

Yes, if you are a (good) hacker. But if American Express, with it's Fort Knox security systems, has left 1.000.000 credit card numbers to get hacked, then i suppose that we cannot talk of 100% security never.


David, please understand that i am, most of the times, speaking strictly from the technical point of view. I will also have a free version of my IDC limited to a single product, available for VH users as soon as possible. But, when it comes to sites that live from automatic downloads, then the above solutions are simply not acceptable. You need to have the links protected by a script, you need to NOT have the files stored in the site, and you need to verify that the client has paid before you can allow him to download.

A agree with Naval.

And, if you put nofollow or no index, that is only good when they are looking from your site.

However, once someone buys the product, if they put the link in their blog or on a forum, for example - for their friends - it now becomes a link that the se's will follow - and now when someone queries for it, it might come up in the se's and people will all get to the pdf file for free. Kind of defeats the purpose of selling a product if it's readily available free. Which any page not protected but out there will become if it's found by outside sources.

Beth, If you think about it, whats to stop people from also giving out the password to their friends or publishing in blogs or forums and gaining access......there is no foolproof way of protecting anything thats on the web.
You can only make it as difficult as you can, so that its not worth the effort.

Hi George, I agree that it is always good to have an exchange of opinions.

Ok, let's see your points:

Yes, true. As long as it is a couple of files, then yes, that's acceptable. If you make a living by selling sogtware or images or e-books, you certainly do not leave these links in the air.

These links are not in the air, they are contained within a PHP file and as you yourself have pointed out in the past, server sided PHP scripts are more secure than html pages.(you cannot view the source code)


Protection in this case doesn't mean having a pass protection It means a whatever protection, usually by verifying the payment with PayPal. A simple protection, which does not require information from PayPal, is to see if the link that has led to the page, truelike. (The links from PayPal are of a certain type). This will at least protect you from amateur attempts of illegal download.

People normally use and pay paypal a commission on each sale in order to assure themselves that paypal has verified the payment, and will only return the client to the return page after verification.
This return page on the clients site Then leads to the download page.

I know that if someone uses a paypal cheque that you should wait until its cleared before allowing a down load, but how is this overcome without upsetting the client?? and why dosnt paypal advertise this fact ?

Not 100% True (in my opinion) . I don't know how and why, but Google has found many of my "hidden" (meaning without links to them) PDF's that i uploaded on my site for my client's to access simply giving them the direct link.

Nowadays, you can also instruct Google to ignore the links to files ending with .pdf or any other file type ending you wish.

Correct. Only that i (personally) don't like to change my return page every once in while. I prefer spending my time in other things.

A lot of sites use the time elapsed or 1 time download links for further protection, and I make a habit of not only changing my passwords from time to time but also my download links. In my opinion, its worth the small extra effort.

Beacuse i have built that page. And, i didn't make the link (with that strange name) public. And, remember, CiCi is worried about his security, since the page has been accessed a number of times. I will now set it so that the page is protected (using the IDC core for this purpose).

Be aware George, that your page has been replaced, as at the time, abvfp was not capable of storing the form details in a database, and this lady wished to have that facility which also includes a backend to view, update, delete etc, etc.
Your latest creation now takes care of all those functions......


David, please understand that i am, most of the times, speaking strictly from the technical point of view. I will also have a free version of my IDC limited to a single product, available for VH users as soon as possible. But, when it comes to sites that live from automatic downloads, then the above solutions are simply not acceptable. You need to have the links protected by a script, you need to NOT have the files stored in the site, and you need to verify that the client has paid before you can allow him to download.

George, from a technical and logical point of view, if the PHP script which controls access to and from the database is not secure, then how can the database itself be secure ???

A PHP script is a PHP script and whether it controls access to a database or access to a download link, then as server sided PHP IS secure then both types of script are secure...............

Yours cordially

Hi David,



These links are not in the air, they are contained within a PHP file and as you yourself have pointed out in the past, server sided PHP scripts are more secure than html pages.(you cannot view the source code)

Wrong: the php code is not visible, the html output of a php file is perfectly visible. So if the script creates the links duynamically after payment verification, tht's perfectly ok because no links will be there if payment has not been verified. But if the links are there, as html, they will be visible.


People normally use and pay paypal a commission on each sale in order to assure themselves that paypal has verified the payment, and will only return the client to the return page after verification.
This return page on the clients site Then leads to the download page.

I know that if someone uses a paypal cheque that you should wait until its cleared before allowing a down load, but how is this overcome without upsetting the client?? and why dosnt paypal advertise this fact ?

PayPal verifies the payment (if completed) or sends you (if you have the appropriate script for receiving the info) a "payment pending" notice. But this is not what i was refering to, i was refering in the case of a direct link to the page if someone malicious posted the link to a blog or forum.



Not 100% True (in my opinion) . I don't know how and why, but Google has found many of my "hidden" (meaning without links to them) PDF's that i uploaded on my site for my client's to access simply giving them the direct link.

Nowadays, you can also instruct Google to ignore the links to files ending with .pdf or any other file type ending you wish.

As said before, that is ok if the link to the download page is not published anywhere by malicious persons.

Correct. Only that i (personally) don't like to change my return page every once in while. I prefer spending my time in other things.

A lot of sites use the time elapsed or 1 time download links for further protection, and I make a habit of not only changing my passwords from time to time but also my download links. In my opinion, its worth the small extra effort.

Well, that's personal opinion. I would like having my files protected and just forget about them. Indeed that's why i states "personally".

Beacuse i have built that page. And, i didn't make the link (with that strange name) public. And, remember, CiCi is worried about his security, since the page has been accessed a number of times. I will now set it so that the page is protected (using the IDC core for this purpose).

Be aware George, that your page has been replaced, as at the time, abvfp was not capable of storing the form details in a database, and this lady wished to have that facility which also includes a backend to view, update, delete etc, etc.
Your latest creation now takes care of all those functions......

Please note that she has mailed me back, asking me to restore it back to what it was, with the new ABVFP, just 10 days ago. I have not had any further updates.


David, please understand that i am, most of the times, speaking strictly from the technical point of view. I will also have a free version of my IDC limited to a single product, available for VH users as soon as possible. But, when it comes to sites that live from automatic downloads, then the above solutions are simply not acceptable. You need to have the links protected by a script, you need to NOT have the files stored in the site, and you need to verify that the client has paid before you can allow him to download.

George, from a technical and logical point of view, if the PHP script which controls access to and from the database is not secure, then how can the database itself be secure ???

Who said that it isn't ? it takes a hell of a hacker to break it, and he certainly would not lose his time for an e-book.

A PHP script is a PHP script and whether it controls access to a database or access to a download link, then as server sided PHP IS secure then both types of script are secure...............

I agree, but as said, that kind of links (as in cici's download page) is NOT php.

What ive done before is store the files on the site, but have the php script rename them to a md5 string (so they are 32 characters long). When someone wants to download the files they click a link which just has a url variable to the row of the table in the database that contains both the original file name and the actual file on the site. It then creates a file for them to download using the php header() function that has the original name. This doesn't reveal the actual file location, and you can track how many times it been downloaded by a user either by their ip, or if you have a login system setup. I also chmod the directory that contains the actual files to where people can't access the directory or anything in it with their broswer (744 if I remember correctly).

This can prevent multiple downloads, unauthorized downloads, people letting their friends use their account to download, but no matter what, as people have already said, its impossible to prevent people from downloading the ebook and then sending it to their friends. (Short of embeding it in a program that requires them to enter an activation key that will check with the server before allowing the contents to be read, which still won't be 100%)

I use instead to store the files in the database, and output them also using the header funcion. That is also necessary for other reasons: if you have the application that opens the file installed on your computer, the files will be opened instead of saves. The header function allowes to save.
As for the unauthorized download, i have the scaript check with PayPal's database ALL the parametres of the payment, as well as the variables related to the order, which i pass to payPal. When the customer comes back to the return page, the script checks the payment details as well as the order deatails, and allowes or disallowes download. The first download date is stored in the database, and additional downloads are allowed for a Administrator defined period of days.