Controlling Access for Trial Subscription

Question

I've been tasked to build a system that allows someone in our company to send out an email with a link to a pdf file that will be kept on our webserver. The recipient can follow the link to view a newsletter we normally sell. The idea is we do this for three months, then see if they'd like to continue and pay for the full subscription.

I've got the registration portion built, but I'm trying to find the best solution for sending the email. Here's what I've thought of, but am interested if anyone else has something better..

1) When emailing, generate a generic code that gets appended to the URL. The use would follow the url, and it would check our DB for "ok" entries and pass/fail them access. This seems ok, but a link could be passed around or even loaded to a public site where anyone could access.

2) To extend the above, I thought maybe I'd have a "one time click" kind of thing where once I know the link was clicked, it could expire, so any subsequent clicks fail. The downside is if they click to view and close their window, they're done. Likewise, if they click and their computer crashes before download completes, they'd be locked out as well. I don't know if there's a way (in PHP for me) to confirm a file download has completed...

3) I could put the files in a directory like /trials/201009/[email protected] where the file is uploaded and the name for the link is random so it would be hard to guess. Then I could use .htaccess to protect each month's folder with a different password. This could get tedious and would be annoying for users most likely.

We don't want to force them to manage their own passwords b/c having to login and remember yet another account may discourage participation.

Thanks for any ideas or pointers. D.

Answer 1

First off, realize that there is only so much you can do here on your end. You are allowing users to download a PDF, after which they can do with it what they please (legally or otherwise). So, preventing passing around the link is not necessarily going to prevent people from sharing or posting the PDF itself.

That said, if you do want to make it a little harder, you could do a variation of your suggestion #2 in which you institute a time delay of some kind before the link expires after it is clicked. You could also limit the number of times the link will serve the file. Because people have a variety of connection speeds, and because I do not know how large your PDFs are, I cannot say for sure what the time delay should be if you choose to use it.

Like I said, though, if someone is determined to share the file, they can easily do so.

Answer 2

I'd say do it with a random code for authentication per email address, and expire that after 5 days. If you limit access to the ip that first hit the url hash, that could work too but could iconvenience legitimate users/customers.

In any case make it easy for legitimate users to request a new authentication code if needed. That way even if any of your limitations inconvenience one of your potential customers, they will not be as ticked off about it.

Finally, consider that if they like the pdf and want to share it, they will probably just share the pdf itself right away and not bother with a link.

Answer 3

Another possibility is that since you already know the persons email address, form a specific url for them in their email link.

So a user would click a link http://www.yourdomain.com/[email protected]

Keep a table with the following data for the email addresses.

id email_addr read_date expire_date

When they click the link check to see if they've read it before and if they have check it hasn't expired. If it hasn't, serve the pdf to them, if it has give them a page that says "Sorry, your trial has expired../"

If its their first time clicking it then set the read_date and calculate the expiry date and set that.

Or optionally you could generate a hash or something and use the hash to id the user instead of their email address.

You could also set up a download column int he table and stop them from downloading it more than twenty times or something by incrementing the download column every time they click the link.