On 7/3/2011 4:53 PM, Stuart Dallas wrote:
Only allowing them to access the URL once is a bad idea. If their
download fails, is corrupt, or any number of other things go wrong
(think accelerators, browser accelerators, etc) then you end up
with a lot of support mail. Better to give them access for a short
period of time.
Ok, so it just got more complex- if we let them do it twice, ior
three times, we have a more complex design specification; if we let
them do it unlimited times, we just defeated thepurpose of the
exercise. How about this: if it fails, the customer can email us,
adn we can reply with a copy as an attachment; a ripoff artist will
not be in the log, and a complaint of failure to download gets them
nothing.
Personally I would generate a unique token linked to their
account, or if no user system exists then link it to their order
number. Stick that in a URL and forward them to it. That URL shows
them the thanks page and links to download the product(s). Each of
those links also contains the token. Expire that token after 24
hours, and on the page telling them it's expired give them a way
to contact you just in case they haven't successfully downloaded
the product yet.
There is no need to use cookies. There is no need to use basic
authentication (which is a horrible user experience). They come
back from PayPal to a script that sets up their unique URL, then
you take them to that URL. KISS it - the more complicated you make
this the worse the user experience will be and it won't be any
more secure than a time-limited unique token as described above.
-Stuart
--
Stuart Dallas
3ft9 Ltd
http://3ft9.com/
--
end
Very Truly yours,
- Kirk Bailey,
Largo Florida
kniht
+-----+
| BOX |
+-----+
think
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
