[thelist] PHP Based file download system.
Seb Potter
seb at poked.org
Tue Jul 29 18:00:21 CDT 2003
On Tue, 29 Jul 2003 15:53:16 -0500, Tanner Burson
<tanner at younet.okstate.edu> wrote:
> I can't really get into the specifics of it, but suffice it to say that
> we are not allowed to give a user multiple copies of the software. What
> they do after they get a copy is thier business, my main concern is just
> making sure that users get their copy.
Here's the thing... you can't, not until the user actually runs the
software. There are a myriad of different problems that could occur during
the download that you have no way of testing for and the user has no way of
identifying. Take, for example, the problem where all bytes are downloaded,
but for some reason the downloaded file is corrupted. The user then has a
totally useless file, and you're not going to let them have another copy,
because as far as you're concerned, they've got theirs already.
> After a few arguments with my managers today I finally got them to buckle
> and agree to essentially a timed download. No matter how we go about it
> there are numerous methods of failure within this system simply because
> of the limitations of PHP/Apache/HTTP. I'm just looking for the method
> that runs into as few of them as possible :) If anyone has any
> suggestions other than just allowing a user to have the file available
> for X many minutes I'd love to hear them, Thanks All,
Stop trying to use a webserver to protect your business methods, because it
won't work. HTTP isn't built for it. If you want a user to only run one
copy of the software, then do some kind of key-based authentication of the
software, such that the software has to be registered to run with some kind
of valid identifiable user information.
There's a whole other argument here about placing restrictions on the use
of software through the misguided application of inappropriate technology.
Experience of the last 20 years has shown that *you simply cannot stop
people from copying software*. Not even Microsoft, with the billions of
dollars they pour into security research, has solved that one yet. If your
managers need convincing of that one, I can provide a lifetime's worth of
first-hand evidence, as well as most of a rainforest of real research.
If you're really desparate to feel safe in the knowledge that each user
only gets one copy, there are several commercial 'secure' downloaders that
attempt to offer the functionality that you describe. Microsoft has one
that they use to deliver content to technet and msdn subscribers. They're
almost universally based on a closed-source windows app that doesn't over
an unreliable http connection.
- seb
--
http://poked.org
More information about the thelist
mailing list