Forum OpenACS Q&A: Strategies to protect file downloads

We are using AOLserver 3.3.1+ad13 and OpenACS 3.x and plan to sell downloadable "ebooks" in the PDF format. We would like to protect the pdf file so the link to the book doesn't get passed around:

www.mysite.com/ebooks/greatbook.pdf

We've outsourced the secure creditcard site which we can set up to give a thank you page after payment. (I'll say which one after we choose... suggestions welcome)

Some sites have a browser popup box appear that requests a user name and password when you attempt to download the file. The username and password are printed on the thank you page or in the thank you email so the user enters this info and the download starts...

I think this feature uses apache's .htaccess system.

Question: Is there an equivelent in AOLserver?
or is there another method that I'm overlooking?

I've considered logging them in so they have a cookie and they go to the download page from the thank you page of the ccard site..
Two issues here, My server doesn't know if they paid and some people block cookies.

Simplicity for the user is important.

TIA for your suggestions.

-Bob

Collapse
Posted by Dave Bauer on
Here is my idea:

This assumes you can dynamically generate the thank you page.

Generate a unqiue URL for the download: http://mysite.com/ebooks/download?book=greatbook.pdf&secretcode=12345

Then store the key in the database or and NSV and expire the key after a limited time.

If you use a username/password to allow downloads, the URL and password can still be shared.

This still isn't 100% secure, but I think it will work.

You probably would need a way for your customer service staff to generate and email a new URL for a customer if they have a problem downloading etc...