[thelist] PHP Based file download system.

Seb Potter seb at poked.org
Tue Jul 29 18:00:21 CDT 2003 

On Tue, 29 Jul 2003 15:53:16 -0500, Tanner Burson 
<tanner at younet.okstate.edu> wrote:

> I can't really get into the specifics of it,  but suffice it to say that 
> we are not allowed to give a user multiple copies of the software.  What 
> they do after they get a copy is thier business, my main concern is just 
> making sure that users get their copy.

Here's the thing... you can't, not until the user actually runs the 
software. There are a myriad of different problems that could occur during 
the download that you have no way of testing for and the user has no way of 
identifying. Take, for example, the problem where all bytes are downloaded, 
but for some reason the downloaded file is corrupted. The user then has a 
totally useless file, and you're not going to let them have another copy, 
because as far as you're concerned, they've got theirs already.

> After a few arguments with my managers today I finally got them to buckle 
> and agree to essentially a timed download.  No matter how we go about it 
> there are numerous methods of failure within this system simply because 
> of the limitations of PHP/Apache/HTTP.  I'm just looking for the method 
> that runs into as few of them as possible :)  If anyone has any 
> suggestions other than just allowing a user to have the file available 
> for X many minutes I'd love to hear them, Thanks All,

Stop trying to use a webserver to protect your business methods, because it 
won't work. HTTP isn't built for it. If you want a user to only run one 
copy of the software, then do some kind of key-based authentication of the 
software, such that the software has to be registered to run with some kind 
of valid identifiable user information.

There's a whole other argument here about placing restrictions on the use 
of software through the misguided application of inappropriate technology. 
Experience of the last 20 years has shown that *you simply cannot stop 
people from copying software*. Not even Microsoft, with the billions of 
dollars they pour into security research, has solved that one yet. If your 
managers need convincing of that one, I can provide a lifetime's worth of 
first-hand evidence, as well as most of a rainforest of real research.

If you're really desparate to feel safe in the knowledge that each user 
only gets one copy, there are several commercial 'secure' downloaders that 
attempt to offer the functionality that you describe. Microsoft has one 
that they use to deliver content to technet and msdn subscribers. They're 
almost universally based on a closed-source windows app that doesn't over 
an unreliable http connection.


- seb

-- 
http://poked.org

More information about the thelist mailing list