This is about selling files such as PDF files. Lets say there is a web interface where an administrator can upload files to the server. These files are for later download by clients who have paid for the rights to download these files. How to simply manage restrictions to these files for clients? How to prevent someone who has not paid for the file to download it? A PHP implementation would be preferable for me but Im open to Java web aswell.
A:
Using an authentication system on your server (whether that's done in php or something else) would be a standard way to handle that situation. Your web server (apache, lighttpd) sends file download requests to your php script, and it checks to see if the user is logged in. If they're not, it sends back a login page. If they are, it serves the file.
Implementing a good authentication system from scratch is a big job. I'd look into prebuilt libraries that'll do that for you.
Serving files through PHP usually works okay, but can may take a few tries to get right.
As a very simplified method you could just use http authentication and add usernames/passwords to your htpasswd file for people who are permitted. Then your users have to deal with the ugly browser login box, though.
Gabriel Hurley
2009-07-23 22:54:39
I think you're confusing authentication with authorization
Janie
2009-07-23 22:58:03
A:
Allowing people to upload arbitrary files that can be accessed by the user is extremely dangerous and not advised.
For the scenario you described you are probably better off storing the uploaded files in the database and using the DB security features to control access.
JohnFx
2009-07-23 22:59:12
He did mention only the administrator, as one who will be able to upload files.
Inshallah
2009-07-23 23:04:30
Technically he said "an Administrator." I wasn't sure if he meant a customer using the site with admin privileges or someone inside his company. Just to be safe I assumed the later.
JohnFx
2009-07-23 23:21:39
A:
Try looking for "digital delivery" systems. http://www.google.com/search?q=digital+delivery I'd take a look at the second result, which is a Google API reference/guide.
thezachperson31
2009-07-23 23:13:12
A:
If your requirements are really very simple, then perhaps you don't need authentication. You could sell tickets, that are available only for a certain length of time, say 48 hours.
You'd have to make it clear to your users that these are really only limited time download windows. If you want to provide download services beyond that, the user will have to request a newly generated ticket sent to his email address, free of charge since you know which email addresses have bought which documents. The first ticket, by the way, need not be sent through email since you can simply save it in a cookie for the user who has just made the payment.
This is very similar to more traditional authentication, except that it doesn't require the user to remember a password. Actually, the resending of newly generated tickets to the user's email address is very similar to the I-forgot-my-password syndrome.
The reason you have to limit tickets to a certain amount of time is because otherwise it will be too easy for people to exchange paid-for document links. Users will probably not remember, or even need, those ticket links indefinitely anyway.
This technique simplifies the process a bit by not needing the user to specify a password. It can also be used in conjunction with the more traditional username/password authentication if you want to add one later (simply remember all paid-for tickets in the user's account).
Inshallah
2009-07-23 23:34:25