adam84 Posted June 30, 2015 Share Posted June 30, 2015 Hello, I need some help with a problem I am having.I have a site where a user can post a document and others can purchase it. My problem is how do I allow access to the document only once it is purchased? My current direction: When a user uploads a file to the site, the document goes into the main repository. When a user creates an account, a folder is also created on the server and named the user id for distinction. When a user purchases a document, the document is logged into the database (where I keep track of all the purchased documents) and a copy of the document is moved into the user’s folder from the main repository. Once the document is read or the time expires (i.e. 30 minutes from purchase), the document is removed from the user's folder and they cannot access the document again. Thoughts- I will have multiple copies of the same document saved on the server. (n)+1 documents. That might get out of hand.- If I get 1 million users, that means I will have 1 million user folders on the server- Im not concerned with the user downloading the document, the main issue is denying them access until purchased. What about storing the documents into the database? Is it better to load the content to a table or the save the actual document on the server? Thanks, Quote Link to comment Share on other sites More sharing options...
scootstah Posted June 30, 2015 Share Posted June 30, 2015 (edited) Your solution is not secure. Anyone that stumbles across that directory would be able to download the file. You can use PHP to send a Content-Disposition header (and some other headers) which will "force" a file download. Since it's through PHP, you can validate the request and make sure the user is allowed to have the file. Google "PHP force download". EDIT: What about storing the documents into the database? Is it better to load the content to a table or the save the actual document on the server? You should store the files on the server, but you can keep a file pointer in the database. Edited June 30, 2015 by scootstah Quote Link to comment Share on other sites More sharing options...
CroNiX Posted June 30, 2015 Share Posted June 30, 2015 (edited) I agree with Scootstah. Store the files on the filesystem where users don't have access. Store the filename in the db along with a document_id, and use that to retrieve the requested purchased document from the fs When a document is purchased, create an entry in a purchased db table showing the user id, document_id, download expiration timestamp, and a randomly generated string which the user will use to download the file. Send a link to the user with the randomly generated string, which your "download" controller (example) will process, http://yoursite.com/download.php/slekj3434jh234kjh243 When the user requests the file from download.php, verify their user_id, document_id and if it's still in the valid expiration time based on the randomly generated string. If it passes, read the file from the filesystem and send the file to the browser forcing a download. You can reset the filename back to the original in the headers, or whatever you want to name it. Edited June 30, 2015 by CroNiX Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.