Skip to content

Loading…

Make virtual download secure #497

Closed
midnightdonkey opened this Issue · 20 comments

5 participants

@midnightdonkey

Hey there - first off, if this isn't the right place to post this, delete it =)

Was just testing to see what would happen if someone copied the URL to my downloadable product from their "My Account" page. Within a new browser, not logged in, I was able to download the file with the URL..

Is there something I need to add to .htaccess or something to make it a secure download? Don't like the idea of a link being passed around.

Thanks..

@John-Henrique

@midnightdonkey WC have 3 download methods Force download, X-Accel-Redirect/X-Sendfile and redirect (direct link) determine this on Settings page of WC. You too can determine how many times the customer can download (on product page)

@midnightdonkey

Will either of these download options stop link sharing?

Problem is, I want people to have access to their downloads forever, but can't have them simply sharing the link..

@John-Henrique

@midnightdonkey No, this options no stop link sharing.

I make a correction to prevent link sharing. It will be available in late afternoon. If @mikejolley are workink today =D

@mikejolley
WooThemes member

Even if you did prevent link sharing (I.e by requiring login first) there's nothing to stop someone sharing the file itself, or uploading elsewhere...

IMO its not worth it - its better to just accept that some people will abuse the system (whatever you do), rather than imposing restrictions that could potentially make things more difficult for honest customers.

@midnightdonkey

Well, of course dishonest people can always download the file, upload it somewhere else and share it - but that's a lot more involved than simply copying a link and sending it to to all your friends..

IMO it's worth it - but ultimately it's up to you guys..

@John-Henrique

@mikejolley I thought add a the hash on link for function 30 or 60 minutes, then it would be necessary to reload the page to create a new hash, the hash in my account and verify in function woocommerce_download_product. You think that is better a plugin for this case?

@midnightdonkey

@John-Henrique That's sounds like a perfect idea to me.

@John-Henrique

@midnightdonkey I'm developing a plugin (before interacting in this issue) where PDF files will be graphed with name, email, order ID, site name or up to 3 these options together. But this plugin is commercial, see example WooCommerce Watermark PDF WooCommerce Watermark PDF

@mikejolley
WooThemes member

@John-Henrique hashes/nonces are fine for links in the backend, but I'm concerned about a) links in emails and b) links for guest purchasers (who don't have an account)

@John-Henrique

@mikejolley true, guest users... I think this:

  • a) Add a big hash up 72 (or more) hours. This case, in email text, include info about this limit
  • b) Guest users will go receive this same emails

Guest users can see order view page? yet no worked with this function.

@midnightdonkey

Maybe guest users can input their email into an input, and if the email exists in the database, send a fresh link to that email?

@midnightdonkey

Any new ideas on this? I'm sure I'm not the only one concerned about link sharing?

@mikejolley
WooThemes member

I've added it to a future milestone - we'll look into getting some extra protection added after the next release.

@pmgarman

May need to end up requiring an account to be able to access the download forever. Otherwise track download numbers and have limitations that way, but you sometimes have to make the compromise.

I would require account registration for unlimited downloads and then nonce the URL or something

@mikejolley
WooThemes member

Patricks commit tackled member downloads - however, the guest system hasn't changed and needs looking at - leaving this ticket open.

@mikejolley
WooThemes member

Guest handling:

  • rename setting "Require login to download" to "protect downloads"
  • when a guest goes to download a link (someone with no account), prompt for the billing email address.
  • Correct email address - email the download links to the user

Links will be nonced, valid for 7 days (filterable)?

That will help secure the download. Of course, someone can share their mail address to

@mikejolley
WooThemes member

Since implementing the require login option this has had little demand. I will close this until it gets demand via ideas.woothemes.com or elsewhere.

@mikejolley mikejolley closed this
@OcalaDesigns

So what's the deal on this? I to added a downloadable product and copied the file path and found that the downloadable product can be downloaded without logging in or even if it wasn't and can be downloaded even if maintenance mode is activated... If I have all my file names are similar, they would be able to guess all the files offered. I'm using the Force Download method and am checking to see if the XSendfile is on my server but no matter what I select it seems that the file path is accessible... I would think that it would protect the main file and auto-name random names for each purchase or something right?

My site is in maintenance mode and this test file can be downloaded ... if all packs are named texture-pack-001.zip, they would just change the 001 to 002 and have access to a pack they didn't purchase.

http://www.c4dtexturepacks.com/wp-content/uploads/test-texture-pack.zip

@OcalaDesigns

When I do a check on your Apache modules I see this:

[root@vps1 ~]# httpd -L | grep -i send
EnableSendfile (core.c)
Controls whether sendfile may be used to transmit files
whether or not to send a Content-MD5 header with each request
ProxySCGISendfile (mod_proxy_scgi.c)
The name of the X-Sendfile peudo response header or On or Off
SendBufferSize (prefork.c)
Send buffer size in bytes

Will those provide the functionality I need XSendFile?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.