Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

securing the download folder


woodpress

Recommended Posts

never thought about it before until I discovered that there was an open door, but what is the best way to secure the download folder?

 

it appears that if a visitor can figure out your download files naming structure that they can just loot your downloads without paying for them.

 

ie: www.yoursitename.com/catalog/download/1234.pdf could be grabed as well as any others that they can get.

 

Can users still download at checkout if I put a password lock on that folder or will that impeed their legitimate downloading?

 

What's a good solution ol' wise ones?

Link to comment
Share on other sites

Not an ideal solution but you could put a HTacess file in the downloads folder and include the log in details in the sales receipt email.

 

Hope this helps.

Experienced in MySQL and PHP. I am always willing to help if you require a quick answer but please note that any work I do for you has to be charged for and pre-paid via PayPal. Sorry but I spend so much time helping others that I have less time for my own business. Please only ask for my assistance if you are willing to pay for my time.

Link to comment
Share on other sites

The simplest fix may be to rename your download folder to some 20 character random permutation of these letters:

 

abcdefghijklmnopqrstuvwxyz

 

Looking at the code in download.php it says there are more than 10^28 (written longhand that's 10 followed by 28 ZERO's) possible combinations.

 

The chances of someone guessing that are (for all intents and purposes) nil.

 

If you do this, you'll have to update your configure file as well:

 

  define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

The simplest fix may be to rename your download folder to some 20 character random permutation of these letters:

 

abcdefghijklmnopqrstuvwxyz

 

Looking at the code in download.php it says there are more than 10^28 (written longhand that's 10 followed by 28 ZERO's) possible combinations.

 

The chances of someone guessing that are (for all intents and purposes) nil.

 

If you do this, you'll have to update your configure file as well:

 

  define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');

 

Jim's idea is a good one. The problem is that if you stick to the default download location and folder names then anyone who knows the Ocommerce set up can find your downloadable directory.

Experienced in MySQL and PHP. I am always willing to help if you require a quick answer but please note that any work I do for you has to be charged for and pre-paid via PayPal. Sorry but I spend so much time helping others that I have less time for my own business. Please only ask for my assistance if you are willing to pay for my time.

Link to comment
Share on other sites

Jim's idea is a good one. The problem is that if you stick to the default download location and folder names then anyone who knows the Ocommerce set up can find your downloadable directory.

Not if you "do it right".

 

You can keep the location the same, just change the name, and they can't find it.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Jim's idea is a good one. The problem is that if you stick to the default download location and folder names then anyone who knows the Ocommerce set up can find your downloadable directory.

 

 

So is the config file the only place that you would have to change the renamed folder "download" to "whatever". Or are there other files that need to be changed?

Link to comment
Share on other sites

As far as I know, that's all you'll need to change.

 

Just make a backup before you begin, and you'll be alright.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...