How to protect downloadable files

[Alan Silver]

Hello,

I am writing a site where people can buy ebooks. I want to have a system
whereby they can download the file(s) once they have paid, but
(obviously) not before. I also want some sort of protection to stop
people simply posting the download link around the 'net and have every
Thomas, Richard and Harold grabbing them!

Any suggestions for this?

I was contemplating using URL rewriting to provide a temporary link that
contained the date encoded, and have it only work for (say) 24 hours
after they pay. If they want it after that, they have to ask me
manually. That should deter people who haven't paid. I'm not sure how
good a system this is though.

Bear in mind that I'm not going to drive myself mad over this. I can't
stop people simply distributing the ebooks themselves, so it's not worth
expending huge efforts on protecting the download. Having said that, I
want something that will deter petty thieves.

Any suggestions welcome. TIA
Alan

 

[George Ter-Saakov]

The easiest way is to create Download.aspx page

which will evaluate the criteria (like if user logged in and has permission
to download this book ) and then redirect to error.aspx if criteria failed
or if success use Response.WriteFile to output file.

PS: You will need to add folowing code

Response.Buffer = false
Response.AddHeader "Content-Disposition","attachment; filename=myebook.pdf"

So users will be prompted to save file myebook.pdf

George.

 

[Peter Bromberg [C# MVP]]

You could have an obfuscated querystring that includes the customer name or
id, the date, and the id of the product to be able to download. If something
comes in and the decoded date is over 24 hours old, you would deny it.

There are a number of easy ways to encrypt or obfuscate a querystring. Here
is a simple one:

http://www.eggheadcafe.com/articles/20060427.asp
-- Peter
Site: http://www.eggheadcafe.com
UnBlog: http://petesbloggerama.blogspot.com
MetaFinder: http://www.blogmetafinder.com

 

[Sagaert Johan]

in Computer management console ->default website select properties of your
website:
select the directory tab
click the configuration button and make a new entry for the file extensoin
you want to be handled by ASP.NET

 

[Alan Silver]

Thanks to everyone who replied. So far, it sounds like you are all
suggesting basically what I had in mind, so I'll carry on with that
idea.

Thanks

The easiest way is to create Download.aspx page

which will evaluate the criteria (like if user logged in and has permission
to download this book ) and then redirect to error.aspx if criteria failed
or if success use Response.WriteFile to output file.

PS: You will need to add folowing code

Response.Buffer = false
Response.AddHeader "Content-Disposition","attachment; filename=myebook.pdf"

So users will be prompted to save file myebook.pdf

George.