SitePoint Sponsor

User Tag List

Results 1 to 14 of 14
  1. #1
    SitePoint Wizard holmescreek's Avatar
    Join Date
    Mar 2001
    Location
    Northwest Florida
    Posts
    1,707
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Securing / Delivering Digital Content - Advice?

    I'm working with a client on building a site for a record label.

    I plan to store an audio clip for the visitors preview with the inclusion of the visitor having the capability of buying the song / album. I've built several cusotm back-ends and e-commerce systems with php/mysql so that part is pretty much covered.

    I figure once their credit card is processed they will receive a link to the full song.

    What I'm looking for is some input on how to best encrypt the link with PHP so that only the original purchaser can download the song.

    I figure I could store all songs in a .htaccess folder. Once the purchase is cleared, copy the particular song into a temporary folder with a randomly created name i.e. /download/ab82848292baxxs94/download.php

    Then, somehow in download.php have some way to determin if the file was successfully downloaded in its entirity, and if so, then remove the temporary folder. Thus, the first person to successfully download the song, if they pass the link onto someone else, the folder would be gone -- because of the first sucessful download.

    Any and all input is greatly appreciated!

    Thanks,

    HC
    intragenesis, llc professional web & graphic design

  2. #2
    SitePoint Zealot chrisdpucci's Avatar
    Join Date
    Dec 2006
    Location
    On the internets
    Posts
    191
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well you could always plant session or cookie data on the purchasers browser and have a php script that serves the file after purchase. If the browser contains the appropriate data which would indicate a purchase, the file is served, otherwise the php script throws an error. Seems like that approach would be alot easier to implement.

  3. #3
    SitePoint Wizard silver trophy
    Join Date
    Mar 2006
    Posts
    6,132
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    without some clienside program, you wont be able to know if the file was 100% received on thier end with absolute certainty.

    however, you could come pretty close if you absolutely had to by reading the file out a chunk at a time, flushing the data to the browser, and then rechecking the connection status.

    i think what i would do though is just leave the files in a non web accisble dir and use a php script to serve the file. the php script would validate the user before outputting the file, using thier session id. then just readfile() the whole thing.

    once the file is output, i update the db reflecting the time. then give them another 10min or whatever to download the file again if it messed or whatever. after that time has expired, the script will deny the file.

  4. #4
    SitePoint Wizard holmescreek's Avatar
    Join Date
    Mar 2001
    Location
    Northwest Florida
    Posts
    1,707
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Great, clam, you always have clever solutions.


    Everyone, keep those ideas coming!
    intragenesis, llc professional web & graphic design

  5. #5
    SitePoint Wizard holmescreek's Avatar
    Join Date
    Mar 2001
    Location
    Northwest Florida
    Posts
    1,707
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by clamcrusher View Post
    once the file is output, i update the db reflecting the time. then give them another 10min or whatever to download the file again if it messed or whatever. after that time has expired, the script will deny the file.
    The only problem I see here is they may decide to download all the songs, and be on a dialup connection.
    intragenesis, llc professional web & graphic design

  6. #6
    SitePoint Wizard holmescreek's Avatar
    Join Date
    Mar 2001
    Location
    Northwest Florida
    Posts
    1,707
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Oh, another question, but don't let it throw off the original question I posted. Would it be possible to fread() from the beginning to x number of bytes of the full mp3, then save that as the clip?
    intragenesis, llc professional web & graphic design

  7. #7
    SitePoint Wizard silver trophy
    Join Date
    Mar 2006
    Posts
    6,132
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    some gotchas you will likely run into:

    if you connect to a database in the script which outputs the file, best to disconnect from the database as soon as you can(eg, before you start outputting the file). otherwise, you will be holding the database connection open for many seconds, and this could quickly make you hit your database max connection limit. you can always reconnect to the database again after the readfile() call is done or whatever method you choose to output the data.

    similar issue with sessions. when you call session_start() php must aquire an exclusive lock on the session file(it does this to prevent data corruption). session_start() will litterally hang until it can aquire its own lock.

    problem is, lets say it take two minutes for the file to download. that means that php script will hold its lock on the session file for 2 minutes. that means that any other php scripts which call session_start() will not be able to get thier lock until that other lock is released, which will take 2 minutes. that means, you website breaks for the duration of the download.

    you can manually close the session to release the lock with a call to session_write_close(), and do this of course before the call to readfile()

  8. #8
    SitePoint Wizard holmescreek's Avatar
    Join Date
    Mar 2001
    Location
    Northwest Florida
    Posts
    1,707
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Oh, well, I split this topic up into two forums. Seemed more appropriate to discuss the technical delivery side with PHP here and the E-commerce options over in the E-Com forum, but for reference here is a link to "that side of the story"

    http://www.sitepoint.com/forums/show...97#post3226297
    intragenesis, llc professional web & graphic design

  9. #9
    SitePoint Wizard silver trophy
    Join Date
    Mar 2006
    Posts
    6,132
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by holmescreek View Post
    The only problem I see here is they may decide to download all the songs, and be on a dialup connection.
    10 minutes was just an arbitrary number. you could make it 8 hours if you wanted.

    since you will probably be using thier session id, or some other id that you store in a cookie, only this user will be getting the file anyway. another user who goes to your media_server.php?id=5723 url will be denied the file because they dont have the credentials stored in a cookie.

    now, they could tell thier friend to go grab that url and have them manually add the proper cookies to thier browser and they would succeed for the 8 hour duration or whatever. if this unlikely scenario is unnaceptable, you could set a flag in the database immediately prior to outputting the file, and then another update after the file download is completed. only allow 1 output stream per file, at a time for this session/download id. although this would present issue if you later decided to support byte range requests to allow people to use those download accelerator thingys that make multiple request for the same file, each request only getting a chunk.

  10. #10
    SitePoint Wizard TheRedDevil's Avatar
    Join Date
    Sep 2004
    Location
    Norway
    Posts
    1,191
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    Always consider the customer experience as well.

    Log the purchased products (music files) to their account, then allow them x number of downloads of the file (Usally three seems to be a good number), this will allow them to redownload the file if the connection close.

    Then serve the files a similar way as clamcrusher mentions, though make sure you disable the time limit at the start of the script, or the script might terminate before you send the file to the customer.

    You may also want to make sure that the download script allows your users to continue downloading where they "dropped" off if they get disconnected etc.

    This will give your customers a richer experience from using the site, and will again make the chance for the customer buying another product higher.

    With that in mind, you want to make sure that the login side of the site is good. Make sure its impossible to login without having the username/password. You can even go so far that you only allow them to download it from a specific location (ip location database) though this is not 100% with all isps.

    Finally, you dont need to worry about a customer giving away their login information. They will not do that as long as their personal information and purchase information is there. And honestly, if one of the customers want to share the music it will be much easier for him/her to just send the music to the person...
    Even if there is a backend DRM system, this is still how the customer will share the music if he/she decide to do it.

    I.e. in the end,that is why its better to put an added effort into the customer experience, instead of making sure only "client on pc x" are able to download the song one time withing x minutes. If the customer want to share the product (music) he/she will.

  11. #11
    SitePoint Wizard holmescreek's Avatar
    Join Date
    Mar 2001
    Location
    Northwest Florida
    Posts
    1,707
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Great tips. Any suggestions on what player to embed for clip previews?

    I would agree. Maybe have them log in and in my user table keep an index of songs with the date/time stamp of purchase. But, if I can figure a way where anyone can just hit the site, provide the cc info without having to create an account, I prefer that method. I hate sites where, (not in this particular case), you have to have an account before you are given a total with tax and shipping. Ugh, I'll go somewhere else.
    intragenesis, llc professional web & graphic design

  12. #12
    SitePoint Zealot backtobasics's Avatar
    Join Date
    Aug 2006
    Posts
    196
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    A small, lightweight Flash movie will do the trick for previewing the clips. You could use XML for loading the location of the track, the title, etc.

    Or, even use Flashvars to tell the movie where to load the track from. For example, say you wanted to show a track located at 'songs/previews/song1.mp3', then in your code for embedding the Flash movie the URL would be flashmovie.swf?src=songs/previews/song1.mp3&title=song1

    You would then need to add some simple ActionScript for dealing with loading the song etc. Assuming you have prior knowledge of Flash, this will be simple enough to do.

    Sorry if this has confused you at all!

  13. #13
    SitePoint Wizard TheRedDevil's Avatar
    Join Date
    Sep 2004
    Location
    Norway
    Posts
    1,191
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    Flash can as mentioned be used for playing the music snips. Though it is impossible for you to protect the snips from beeing downloaded this way.

    The user only need a logging software like Ethereal and they will get the paths they require to download the music directly, or they can just rip the sound directly.

    The only way you can hide the location, is if you have a strict login system, which double check when the music is loaded. But that require the user to be logged in to listen to the snips, i.e. not a good experience for the user.

    When securing your site you would want to use a software like Ethereal, to make sure its impossible to hijack anything or get any real paths.

    Regarding making the user create an account before they see the total amounts, well you dont need to do it that way

    As you know, when we purchase its usally a "in the moment" thing, and the more steps we need to take to finish the purchase the easier it is for us to say "nah, we dont need it" and stop.

    Due to that we have the last years been making "one step" purchase page. One page that the customer will see when he/she clicks to pay after selecting some products. On this page they will enter they information etc as well as the cc information. Then if the user has a username, he will use it and the personal fields will be filled out (ajax). If he does not have a username, we will automatically create one from his email address when he finishes the purchase and send the password to that email address.

    We have had no problems with that approach for now, just make sure you explain that the email address will be used as a username, and that they will get a password sent to it. Just so they dont enter a fake email address.

  14. #14
    SitePoint Member
    Join Date
    Dec 2006
    Location
    Huddersfield, UK
    Posts
    17
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Making it easy to use and a secure solution is not easy. Make it too secure and the buyer will not have time to download it and your clients will be continually contacting you for non delivery, or making chargebacks for non delivery.

    Make it too easy and anyone will be downloading your content for free!

    Try phpAMA it takes a different secure path to provide content to your paying members:
    http://www.dwalker.co.uk/phpautomembersarea/


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •