pay downloads

[jcombs_31]

I may have a job coming up that will require a user can pay to download files, more specifically songs.  This seems like it can be a daunting task.  I wanted to get some background on the topic and see if you guys can provide me with any resources or just some information about how you would go about it.

[LiamProductions]

Make it so the user has to sign up then make a online store thing. something like that. using paypal maybe so when they've payed they can continue the merchant.

[jcombs_31]

Thanks for the great input.  You really think I need to make them sign up for an account and have a shopping cart?  I would have never thought that was necessary.

 

Let me be more specific.  My concern isn't setting up user account control and a shopping cart. My concern is the actual download process. I have brought this up before for a similar project that never happened.  Setting up a store for a tangible product is pretty straightforward, but this is not.

[Crow]

Once payment is confirmed use some sort of session id to track the user.  You could store it into a database, and have it expire after so many minutes/after the user downloads the file.

 

This ensures that they can't hotlink to a file they paid for once.

 

Step By Step Procedure:

• User Finds Media
  
• User Selects: Purchase/Download
  
• User is asked for Credit Card information (Paypal API/Custom API/Other form of CP API)
  
• Once a confirmation is recieved user gets and email saying: 'Click this link: http://somesite.com/media_dl.php?ses=3494a392JWei324'
  
• Script looks up that session id in a database and forces download of the file
  
• Session is terminated from the database (to prevent downloading again)
  

 

A registration system could be an OPTIONAL requirement that would allow the users to redownload files they've already purchased.  If they don't register they can still download the file, but once they download it the first time they'll have to repurchase it the second time.  By having them register you could have a page 'Download History' where they could click to download the files again.

[jcombs_31]

Yea, I was thinking about a credit system.  I think it would make it easier to track.  I think it might be easier to make them register.  They purchase credits for whatever amount is determined, and each track can cost a certain amount of credits.  I don't know the legalities of certain things, but I think that one download is probably all they should get, otherwise they can just give their signon to another user.  Once they download a track, I remove the credits from their account in the DB.  The thing I have to figure out how to check is when the download completes on the client side.  If they cancel or drop a connection in the middle of download, I don't want to remove the credits. 

[LiamProductions]

The reason people make a login system for shopping carts is because you can store the users details what they've bought ect.

[jcombs_31]

The reason people make a login system for shopping carts is because you can store the users details what they've bought ect.

 

You're just full of useful information.

[LiamProductions]

If thats a good thing thanks 

[akitchin]

they don't teach sarcasm in school these days.

 

i imagine the major advantage behind a crediting system is that you can totally separate payment and downloading entities.  obviously handy for development and troubleshooting, as well as customer service ("I couldn't download the song, I think it's because my payment never went through, I don't trust your CC processor!"  ".. WRONG, BITCH.  I see your credits right there.").

 

i found difficulty when trying to track download success in a PHP-delivery system i made a while back.  it wasn't as crucial for me since payment wasn't involved, and files were often small (<=1M), so i didn't delve, but i think my issue was trying to have PHP run something once the header() had finished spitting the file out to the browser.  maybe forking the process would be handy, and having a CRON to check on them?  i've never used forking, so that's potentially a totally intangible idea.  just tossing ideas out.

 

another option might be to clause it in the terms of service:  "If a download doesn't complete, the customer (you) accepts responsibility because we sure as hell know it ain't our server."

[jcombs_31]

I'm no javascript expert but I assume that it must be able to track the client download somehow.  If anyone has anymore info on how this can be done I would really appreciate it.  I haven't really spent time searching it yet but I will later today.

[roopurt18]

You can't stop people from sharing the music with their friends, period.  Even protected music can be shared easily.  Say you download some songs on iTunes, they're protected, they only work on your PC and iPod.  Right up until you burn them on CD, give them to your buddy, and he rips them back to MP3.  Blammo!  Unprotected music.

 

I think you'd be better off looking into what the law states are your responsibilities in terms of serving music.  If the music you're selling is owned by the people that own the site, then I'm pretty sure they can dictate the rules.

 

If you can get away with it, I'd just keep track of who purchased what and provide them with a page where they can return to download it any time they want.

 

One PC game that I played allowed you to purchase small add-ons for cheap from the companies online store.  When you purchased the add-on, they sent you an e-mail with a link that was valid for 48 hours.  That might also be an option worth exploring.

 

If you're hell-bent on determing when the download completes, you might look into some sort of Java applet.

[akitchin]

i just found an interesting few posts about tracking the success of a download through PHP.  it seems trolling the logs and dealing with people complaining about an incomplete download is your best bet:

 

http://mail-archives.apache.org/mod_mbox/httpd-users/200208.mbox/thread

 

search for "Detecting download success/failure from server?"  don't know if it will help you, but it was at least interesting to read.

 

EDIT:  roopurt's got a great point, but i'll leave this in as interesting reading i guess.

[jcombs_31]

You can't stop people from sharing the music with their friends, period.  Even protected music can be shared easily.  Say you download some songs on iTunes, they're protected, they only work on your PC and iPod.  Right up until you burn them on CD, give them to your buddy, and he rips them back to MP3.  Blammo!  Unprotected music.

 

I think you'd be better off looking into what the law states are your responsibilities in terms of serving music.  If the music you're selling is owned by the people that own the site, then I'm pretty sure they can dictate the rules.

 

If you can get away with it, I'd just keep track of who purchased what and provide them with a page where they can return to download it any time they want.

 

One PC game that I played allowed you to purchase small add-ons for cheap from the companies online store.  When you purchased the add-on, they sent you an e-mail with a link that was valid for 48 hours.  That might also be an option worth exploring.

 

If you're hell-bent on determing when the download completes, you might look into some sort of Java applet.

 

I'm not concerned with what people do with the music after it is downloaded, but of course the source should be protected.  It will not be my site or my music, I'm simply the programmer.  I'm just brainstorming the best way to serve the files as they should be.  I think people want to be able to download something right away and not have to open up their email.  If someone downloads a file and loses it I don't necessarily think they should just be able to keep downloading it. If you buy a game in the store and lose it, they certainly won't give you a new one because you already purchased a copy.

[roopurt18]

I'm not concerned with what people do with the music after it is downloaded, but of course the source should be protected.  It will not be my site or my music, I'm simply the programmer.

I understand this.  What I meant was if the site you are making is for a specific band or artist and it's that person's music you're distributing, they can dictate the rules.  If it's a general online store then you just have more rules to follow.  My suggesting was to figure out which legal rules you had to follow before you did any programming.

 

I'm just brainstorming the best way to serve the files as they should be.  I think people want to be able to download something right away and not have to open up their email.

I agree.

 

 

If someone downloads a file and loses it I don't necessarily think they should just be able to keep downloading it. If you buy a game in the store and lose it, they certainly won't give you a new one because you already purchased a copy.

I think distributed software is a bad example to bring into this discussion.  True, if I lose my Windows key I have to buy another.

 

But if my computer gets wiped out and I still have my CD stored away, I can still re-install and be on my way.  A hassle but I know before hand that it won't cost me additional money.

 

This is not true of music that you are allowed to download once and only once.  You are placing an extra burden on the consumer to make it their responsibility to have a physical copy; people spending money don't want burden, they want an enjoyable experience.  If I go to your music shop and am told up front that I can download music I purchase only once; I'm not going to buy anything.  First, if I wanted hard copies of my music lying around all over the place I'd go to the music store, but instead I went to your online shop.  Second, I know that if I purchase $100 in music over the course of a year, get a virus, and have to re-install my OS that I now have to spend $100 again just to get the music that I own.  From my perspective I've given you a lot of my money, been a good customer, and am now being told to "Bugger off."

 

Also, there's the point that if people can only download a file once that it just opens up the opportunity for more support calls.

 

"Hello, I was in the middle of downloading a file and my [connection dropped | browser crashed | 3 year old hit the power button | etc].  Now it says I have to pay for it again?"

[roopurt18]

I just wanted to add that I love music.  I listen to it all the time while programming.  I also spend hundreds of dollars every year online.

 

To date, the amount of money I've spent online buying music:  $0.00

 

(No I don't download illegal music; the last song I downloaded was when Napster was still free.)

 

I don't spend any money on online music because of the hassles and restrictions the RIAA has inflicted on consumers.  It's ridiculous that I should buy a song and not be able to play it in any device that I own due to encoding / protection crap.  If I bought it, I own it, so let me use it.

[jcombs_31]

you make good points.  I'm getting ahead of myself too, because ultimately the client will dictate the way they want it, but I want to at least be somewhat educated on the topic to make suggestions.

[jcombs_31]

I just wanted to add that I love music.  I listen to it all the time while programming.  I also spend hundreds of dollars every year online.

 

To date, the amount of money I've spent online buying music:  $0.00

 

(No I don't download illegal music; the last song I downloaded was when Napster was still free.)

 

I don't spend any money on online music because of the hassles and restrictions the RIAA has inflicted on consumers.  It's ridiculous that I should buy a song and not be able to play it in any device that I own due to encoding / protection crap.  If I bought it, I own it, so let me use it.

 

I agree, and I also love music and will not comment on how I get mine

[roopurt18]

I think as a contract programmer your responsibilities lie in making sure that the files aren't freely available to anyone via URL manipulation and that whatever payment method you go with is secure.

 

I think it's really up to the site operators to dictate in what fashion of serving the files is legal and optimal.  Of course, sometimes things are suggested that are technically impossible or require a "clumsy" implementation so they get ruled out.

 

I'm personally curious to the development of this as I've not ever dealt with handling payment transactions via the web but I foresee myself having to tackle this sort of problem in the next year or so.

[ober]

I don't know the technical details behind it, but I'll give you my experience and how I think it works, for what it's worth:

 

allofmp3.com gave me the files I could download in a window.  Once I downloaded them they were no longer available.  I don't think JS was involved but I do think some backend tracking was occurring for sure.  Since they generated the file to my specs before download, I can only assume it was moved to a location for me to download.  I can also assume that they also were possibly tracking my session and how much data my session was moving on the server.  Again, I don't know how you would track the number of bytes a person has downloaded from a file, but I'm pretty sure that's how they did it.

[steelmanronald06]

Don't know if this is possible, but could you store the music on a different server from the website? Then use sockets and sessions to go over and grab the music off the music server and serve it to the client on the web server? This would keep people from directly hot linking to the music file and letting every one of their friends download it.  But, like I said there would have to be sessions involved so that you first check to make sure their a user and allowed to have that file before you do the actual fetching.

[Daniel0]

Here is what you could do:

 

1. User purchases a file

2. Script generates random unique download link (e.g. download.php?key=F9ah2fh287faHfAhk). This download link only works ONCE meaning if the go to it they will only have one chance of downloading it.

3. Give the link to the user. Inform them about the restrictions.

4. User clicks the link.

5. Deactivate link and then serve the file dynamically in a way like this:

<?php
// connect to db
$db_link = mysql_connect('localhost', 'root', '');
mysql_select_db('store', $db_link);

// check that key is set
if(!empty($_GET['key']))
{
die("No key given");
}

// prepare it for sql
$key = mysql_real_escape_string($_GET['key'], $db_link);

// get link and file info
$result = mysql_query("SELECT l.*,f.* FROM download_links AS l LEFT JOIN files AS f ON f.file_id=l.link_file_id WHERE l.link_key='{$key}' LIMIT 1", $db_link);
if(mysql_num_rows($result) != 1)
{
die("Invalid download key");
}
$link_info = mysql_fetch_assoc($result);

// delete link. it's not valid anymore
mysql_query("DELETE FROM download_links WHERE l.link_key='{$key}' LIMIT 1", $db_link);

// serve file to user
header("Content-Type: {$link_info['file_mime']}");
header("Content-Disposition: attachment; filename={$link_info['file_name']}");
header('Content-Description: File Transfer');
header('Accept-Ranges: bytes');
header("Content-Length: {$link_info['file_size']}");
readfile($link_info['file_path']);
?>

Table download_links contains these fields: link_id, link_key, link_file_id

Table files contains these fields: file_id, file_name, file_path, file_size, file_mime

 

6. User downloads file

7. User sends the link to his/her friend.

8. Friend tries to download and gets this message: "Invalid download key"

 

I believe that this would prevent users from download the file multiple times and from sharing the link with their friends. The user could still send the file to their friends though...

[Azu]

Thanks for the great input.  You really think I need to make them sign up for an account and have a shopping cart?  I would have never thought that was necessary.

You could have found that out on Google you know, lol..

 

 

Okay, on a serious note, I think you should just have the file links go to the paypal page with the ID of the file, and then when they buy it, it makes an entry into your database for the ID of that site and the URL, and the paypal page redirects to that link when they pay, so the download starts immediatly, and when the URL is accessed, it is deleted from the database, so it can't be leaked.

 

No registration or anything needed.

 

Also you should set the mime type to force them to DOWNLOAD the file not PLAY it. This way they can listen to it as many times as they want.

 

This is how I would do it anyways.

[jcombs_31]

Thanks for everyone's feedback. I wish I could find a good article somewhere on this. If anyone happens to find one, I would appreciate it.