The personal disquiet of

Mark Boulton

September 8th, 2005

ebook download security question

A friend of mine is plan­ning on self-publishing a book, via a web­site as a down­load­able pdf, and then through some­thing like Lulu for people who want a nicely bound offering.

So, the ques­tion is Paypal. I’ve got as far as going through the doc­u­ment­a­tion, see­ing how you can set up a pay now but­ton etc. Which then dir­ects back to the web­site for down­load­ing the file.

My ques­tion is this. How secure is that? Or rather, how secure is the page on which you can down­load it? What meas­ures can I put in place to max­im­ise secur­ity? I’m only ask­ing because googling this just gives a list of com­mer­cial com­pan­ies hell-bent on try­ing to sell you something. 

Any­one able to shed some light on this?

This entry was posted on Thursday, September 8th, 2005 at 3:59 pm and is filed under Personal.

You can follow any responses to this entry through the RSS 2.0 feed.

Responses are currently closed, but you can trackback from your own site.

12 Responses to “ebook download security question”

  1. Ryan Heneise said on: September 8th, 2005 at 6:10 pm

    Here’s an idea… 

    You could set up a small data­base that would con­tain their email address and a hashed (MD5 or SHA-1) string made up of some key plus their email address. 

    When they pur­chase the book, send them a link with the hashed string and their email address in the URL para­met­ers. The pro­gram would look up their record from the para­met­ers sup­plied, re-hash the email address, and then provide the file down­load if everything checks out. 

    For extra secur­ity, you could also get their IP address or set a cookie, and only serve up the eBook if those cre­den­tials match too. 

    Hope this helps…

  2. Ryan Heneise said on: September 8th, 2005 at 6:21 pm

    There is a sim­ilar tech­nique pos­ted on Sig­nal vs. Noise called “URL or User­name and Pass­word?”, pos­ted 30 Aug 2005. (Your com­ment form won’t let me post the link.)

  3. Ryan Campbell said on: September 8th, 2005 at 6:56 pm

    Hey Mark — I recently made a sim­ilar post in the 9rules Site Sug­ges­tions forum. The guys had some good advice. 

    I’m in the same boat and step­ping through the pro­cess. Basic­ally, I am try­ing to dir­ect users to a secure pdf down­load. Paypal returns to our site, and a page pro­cess the down­load. I star­ted with the fol­low­ing code: 

    $dir=“yourdir/”; 

    $file=$dir.“filename.psd”;

    header(“Content-type: application/force-download”);

    header(“Content-Transfer-Encoding: Bin­ary”);

    header(“Content-length: “.filesize($file));

    header(“Content-disposition: attach­ment; filename=\“haha.psd\””);

    readfile(“$file”);

    This works pretty well because you can hide the path and file­name from the user, so the only way to access the file is some good guess­ing. It is not 100% safe though, so I am in the pro­cess of try­ing to imple­ment what they sug­ges­ted — keep­ing the file out­side of the web file structure. 

    Any­ways, once my setup is fin­ished I will let you know. You are more than wel­come to use my code. The only dif­fer­ence with mine is that we have a data­base with username/passwords so it is easy to verify. In yours, some type of hash code will need to be stored just as Ryan suggested.

  4. Ryan Heneise said on: September 8th, 2005 at 7:23 pm

    Just thought I’d put a little dis­claimer on my com­ment above… I haven’t tried it yet, so I don’t know if it would actu­ally work. It’s prob­ably one of a zil­lion ways to do this. 

    I’d be really inter­ested to hear what you end up doing.

  5. Mark Boulton said on: September 8th, 2005 at 9:03 pm

    Ryan Heneise — Thanks Ryan, well I’m not the most adept pro­gram­mer in the world so actu­ally impli­ment­ing this the­ory of yours might prove tricky! ;). Thanks for the tips though. 

    Ryan Cam­bell — Hey Ryan. I’d for­got­ton you were going through some­thing sim­ilar actu­ally. This sounds exactly what I’m after. Let me know when you’re done and I’ll try and get to work on it. Not so sure how to imple­ment al this talk of hashes and things…

  6. Ryan Campbell said on: September 9th, 2005 at 12:49 am

    Sounds good — we should be doing test­ing shortly, and then I’ll have some more con­crete stuff to give you.

  7. Rob Babcock said on: September 9th, 2005 at 1:06 am

    I use Link­Lok for Payapl IPN to handle the secure down­load of the con­tent I sell on my site. The developer is very respons­ive and I’m very pleased with the product.

  8. Mike Zornek said on: September 9th, 2005 at 3:23 am

    You could ask Dave how they do it. I bought a PDF book from them and they emailed me a spe­cial unique url to down­load it after it was pre­pared. Pre­pared seemed to be cus­tom­iz­ing the PDF with a “ Pre­pared exclus­ively for Michael D Zornek” at the footer of each page. Other than that though no DRM (which is import­ant for me).

    Adam also sells PDFs online and might be able to give some advice. 

    Good luck!

  9. Mark Boulton said on: September 9th, 2005 at 11:01 am

    Ryan — Thanks for that. Look­ign for­ward to see­ing it. 

    Rob — That does look like an inter­est­ing product and quite fea­ture rich.

    I noticed on your site, you use Cafe­press for your prin­ted mater­ial. How do you find the qual­ity of the books they pro­duce? Also, do they offer full col­our book print­ing for dis­tri­bu­tion in the UK? I couldn’t find any inform­a­tion about that anywhere.

  10. Craig said on: September 9th, 2005 at 11:39 am

    Just found this scriptwhich looks like it could be help­ful in facil­it­at­ing pdf sales over paypal. Requires a bit of setup but cheaper than buy­ing a pre-made solution. 

    Also, these guys offer a ser­vice sim­ilar: http://payloadz.com/

  11. Craig said on: September 9th, 2005 at 12:29 pm

    (Here’s the <a href=“http://www.hotscripts.com/Detailed/46734.html”>Link</a> for the script.)

  12. Nathan Rutman said on: September 12th, 2005 at 1:49 pm

    Mark, I did a sim­ilar thing with an ASP solu­tion a year or so ago.  Found some code that would read through a bin­ary file and “feed” it to the web browser (ASP called it a file stream).  So the user thought they were down­load­ing thefile.asp, but it returned a con­tent type of application/pdf and then the bin­ary for the PDF file they reques­ted through the query string.  It worked well.  And yes, you will want to store the PDF out­side the web folder structure.

  • Me

    Hello. My name is Mark Boulton. I’m a designer, an author, a speaker and I run a small design agency where we work with lovely cli­ents and pub­lish books as we go. This is my blog.

  • More of me

  • Publications

    Design­ing for the Web
    Start­ing from £19 + VAT for a PDF Down­load. £29 for a full col­our paperback.

  • Where I work

    Mark Boulton Design
    A small design stu­dio doing good things for nice clients.
    Five Simple Steps
    Pub­lish­ing easy to read design books.

  • See me speak

    @Media 2010
    June 8th — 11th, Lon­don, UK.
    Drupal­Con 2010
    August 23th — 27th, Copen­ha­gen, Denmark.
    dCon­struct 2010: Design 1010 workshop
    Septem­ber 1st, Brighton, UK.
    Web­d­a­gene
    Septem­ber 29th — Octo­ber 1st, Oslo, Norway
    Web Developers Conference
    Octo­ber 27th, Bris­tol, UK.
    New Adven­tures in Web Design
    Janu­ary 20th 2011, Not­ting­ham, UK.

    • Copyright © 1999–2010 Mark Boulton. Made with an Apple Mac in Wales. Running on WordPress and VPS.net.