Thread: .htaccess .php proxy
View Single Post
Old 01-25-2025, 11:13 AM  
cerulean
Web & App Development
 
cerulean's Avatar
 
Industry Role:
Join Date: Oct 2023
Location: United States
Posts: 118
Quote:
Originally Posted by Publisher Bucks View Post
Well right now the customer data is stored in SQL (hashed with SHA1) and the script just grabs their transaction ID, email address and associates that with another table that contains the product(s) they purchased.

In order to download them, the transaction ID and email address (plus their name) has to all match a form submission which then redirects the customer to a 'download' page with their individual files.

The problem is, the files that they're purchasing have been stored on a domain (behind .htpsswd protection) that is over 10 years old, that, was honestly never even considered might be needed for this purpose, there's nothing on that domain except about 12,000 individual files, all with a unique ID.

I figured if i used a proxy to store a new username and password in the .htpsswd file, (there is no directory browsing possible) that would resolve my having to dynamically create an actual username and password for each customer when a purchase is made.

Am I overthinking things or would this be fine? There isn't really anything of 'value' per se in the protected directory that if it gets lost somehow I wouldn't be able to re-upload from a physical HD.

I'll be honest, coding out an actual user login system isn't something I feel like doing on a weekend, at least not until I have the user account creation stuff setup
I understand what you're trying to do. I think it's healthy to overthink security and protection when user information is involved, and when money is involved. Both of these things are true for you.

Is there a reason you can't just send an email link on purchase with a unique code that downloads the correct file on a timer (as you've described?) You wouldn't need a username or password, as long as the file uses X-Accel-Redirect or X-Sendfile to load the file behind a proxy to obfuscate the process of passing the file to the user.

We're at a point in software development where everyone already has a service or an offering. Sometimes it's more financially beneficial to just purchase a pre-existing solution than it is to code through the weekend something from scratch. I am sure there are already systems that do what you want, and the costs would likely be minimal if it saved you time.
__________________
Cerulean Software Specializes in Website and App Development. Email me today!

Keep Your Business and Members Area Secure with LoginBlue Password and Content Protection
cerulean is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote