Hey there - first off, if this isn't the right place to post this, delete it =)
Was just testing to see what would happen if someone copied the URL to my downloadable product from their "My Account" page. Within a new browser, not logged in, I was able to download the file with the URL..
Is there something I need to add to .htaccess or something to make it a secure download? Don't like the idea of a link being passed around.
@midnightdonkey WC have 3 download methods Force download, X-Accel-Redirect/X-Sendfile and redirect (direct link) determine this on Settings page of WC. You too can determine how many times the customer can download (on product page)
Will either of these download options stop link sharing?
Problem is, I want people to have access to their downloads forever, but can't have them simply sharing the link..
@midnightdonkey No, this options no stop link sharing.
I make a correction to prevent link sharing. It will be available in late afternoon. If @mikejolley are workink today =D
Even if you did prevent link sharing (I.e by requiring login first) there's nothing to stop someone sharing the file itself, or uploading elsewhere...
IMO its not worth it - its better to just accept that some people will abuse the system (whatever you do), rather than imposing restrictions that could potentially make things more difficult for honest customers.
Well, of course dishonest people can always download the file, upload it somewhere else and share it - but that's a lot more involved than simply copying a link and sending it to to all your friends..
IMO it's worth it - but ultimately it's up to you guys..
@mikejolley I thought add a the hash on link for function 30 or 60 minutes, then it would be necessary to reload the page to create a new hash, the hash in my account and verify in function woocommerce_download_product. You think that is better a plugin for this case?
@John-Henrique That's sounds like a perfect idea to me.
@midnightdonkey I'm developing a plugin (before interacting in this issue) where PDF files will be graphed with name, email, order ID, site name or up to 3 these options together. But this plugin is commercial, see example WooCommerce Watermark PDF
@John-Henrique hashes/nonces are fine for links in the backend, but I'm concerned about a) links in emails and b) links for guest purchasers (who don't have an account)
@mikejolley true, guest users... I think this:
Guest users can see order view page? yet no worked with this function.
Maybe guest users can input their email into an input, and if the email exists in the database, send a fresh link to that email?
Any new ideas on this? I'm sure I'm not the only one concerned about link sharing?
I've added it to a future milestone - we'll look into getting some extra protection added after the next release.
May need to end up requiring an account to be able to access the download forever. Otherwise track download numbers and have limitations that way, but you sometimes have to make the compromise.
I would require account registration for unlimited downloads and then nonce the URL or something
Patricks commit tackled member downloads - however, the guest system hasn't changed and needs looking at - leaving this ticket open.
Links will be nonced, valid for 7 days (filterable)?
That will help secure the download. Of course, someone can share their mail address to
Since implementing the require login option this has had little demand. I will close this until it gets demand via ideas.woothemes.com or elsewhere.
So what's the deal on this? I to added a downloadable product and copied the file path and found that the downloadable product can be downloaded without logging in or even if it wasn't and can be downloaded even if maintenance mode is activated... If I have all my file names are similar, they would be able to guess all the files offered. I'm using the Force Download method and am checking to see if the XSendfile is on my server but no matter what I select it seems that the file path is accessible... I would think that it would protect the main file and auto-name random names for each purchase or something right?
My site is in maintenance mode and this test file can be downloaded ... if all packs are named texture-pack-001.zip, they would just change the 001 to 002 and have access to a pack they didn't purchase.
When I do a check on your Apache modules I see this:
[root@vps1 ~]# httpd -L | grep -i send
Controls whether sendfile may be used to transmit files
whether or not to send a Content-MD5 header with each request
The name of the X-Sendfile peudo response header or On or Off
Send buffer size in bytes
Will those provide the functionality I need XSendFile?