Umm....no they can't. pay_first.php is what you send them to if they don't have a correct session. If the session is correct, show the download page. Notice the ! in front of isset().
---John Holmes... ----- Original Message ----- From: "Ron Stagg" <[EMAIL PROTECTED]> To: "1LT John W. Holmes" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Wednesday, May 29, 2002 5:02 PM Subject: RE: [PHP] ******************* Secure product download ******************* Yes, but unauthorized users can still just key in the URL (http://www.example.com/pay_first.php) into their browser and get around the session verification. I have toyed around with dynamically building the file when it is needed, but I need to delete it once it has been downloaded by the user. How can I delete a file as soon as it has been downloaded? Ron Stagg -----Original Message----- From: 1LT John W. Holmes [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 29, 2002 2:57 PM To: Ron Stagg; [EMAIL PROTECTED] Subject: Re: [PHP] ******************* Secure product download ******************* session_start(); if(!isset($_SESSION["did_pay"])) { header("Location: http://www.example.com/pay_first.php";); } //show download code.... Obviously you set $_SESSION['did_pay'] to a value once they, umm, pay. ---John Holmes... ----- Original Message ----- From: "Ron Stagg" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, May 29, 2002 4:47 PM Subject: [PHP] ******************* Secure product download ******************* I am building a site where visitors can purchase and download software. To purchase a software product, the visitor must submit credit card info. Once the purchase has been approved, the user is given a link from which he/she may download the requested software. This link MUST only be accessible to those who have paid. I have tried a number of different and creative methods, but none give me the security I need. I don't want the user to be able bookmark the URL or email the URL to friends so that they can download the software as well. I am using PHP sessions combined with MySQL user accounts to authenticate users throughout the rest of the site. How can I get this to work for downloads? Is this even possible within the open realm of the browser? Have any of you solved a similar problem? I welcome any ideas. Ron Stagg -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
