Protecting Download Links

[CXGJarrod]

Can anyone think of a way to protect a download link so that people cannot see where the download is coming from? We think that people are using a direct link to download our software. (thus bypassing the registration page) We would like to change the link and add some more protection. We have a IIS 5 box.

I have already looked at some protection through a third party (anti-leech.com) but want to keep my options open if anyone has any ideas.

Thanks in advance.

[SodaMoca5]

This is only a suggestion but could you make the link an ASP request that retreives their current login name or password. If they use when not logged into the site it could not retrieve this portion and would either redirect them to a login screen or give them a site not found error.

The other way to implement this is to send the requested url to a login screen that they must log through to get to the download. The drawback of this is that for every download they would have to put in a login or password. It could get tedious for someone who downloads a lot of your files.

I am not enough of a programmer to give you code hints on how to do it, I apologize, but you could consider these and see if they are feasible.

[CXGJarrod]

A username and password cannot be a solution at the moment. (According to management)

[doktorf00bar]

This question is a little like the one posed in this thread here:
http://www.antionline.com/showthread...484#post585484
in that the answer is similar. It is possible to protect from casual curiosity, but there is no real way to stop the determined. In the case of downloads, there is no type of web scripting or whatever that can disable the ability to use netstat or similar tools to see which IP addys a host is connecting to.

[Terr]

Hmm. What about a script which checks the referring URL and displays a 'Blah blah stolen' image if the referring URL is alien? (Otherwise returning the file)? I dunno.

[mmelby]

I think Terr is on the right track. I am in the process of doing something similar. Through scripting you can determine the refering page. If the referring page is the correct one you can use the redirect function to the download url. I am currently working on how to hide this last piece. I will not be able to get back to it until this weekend. As I come up with a solution I will update this thread.

[bluebeard96]

Two potential solutions. I see where Terr is heading, and I was thinking the same thing at first. I do see one problem however. Let's say the download link is available on download.asp. Even if download.asp checks for the referre (ie processform.asp), the link directly to the file is still exposed in the html. You can do it this way, but I wouldn't place a link in the html. I'd rather throw a redirect in the processform.asp DIRECTLY to the file. Someone correct me if I'm wrong, but wouldn't that keep the actual path from being sent to the user? A user, in theory, would hit submit on the form and then the next thing they would see is the download file prompt when the form redirects them.

Just an idea. Haven't tested it yet. I think I'll go play with it now. :-)

[buzzcut]

First of all let me say that I have never done this with asp through IIS so I don't know for sure if it will work. I used to do the following with a perl script through Apache for a software company that I worked for:

1. Person buys the software, and a dynamically generated link is sent to them. That link has an order number in it that specifies it as that specific download. The link is actually a script that is used to push the program out to the user.

2. When the user clicks on the link, the script parses the url, looks up that order number in the database, and serves up the program(s) that they purchased to them.

3. A cron job comes through nightly and deletes the link (script) that was created after 3 days so it is no longer accessible.

Granted, that does not mean that they won't be able to mail that link to all of their friends in the first 72 hours, but it might help curb the abuse a little bit.

[bluebeard96]

OK, confirmed that this works with .exe files, but I also found that if I tried to link a zipped file, that I would just get encoded text on the screen. I'm not sure why, maybe someone else can shed some light on that.

As far as my ASP file, I just included a line that simply says this...

response.redirect "http://localhost/files/ypager.exe"

Upon loading my asp page, I get a download prompt asking me to save ypager.exe from localhost (note that it didn't give the full path JUST the domain). I NEVER SEE THE FILE PATH.

So, assuming you're distributing exe files, this should work. I'll see if I can figure out the zip file thing. Be back soon!

--------------------------------------

Ok, I think I've got it here. Take a look at this site:

http://www.planet-source-code.com/xq...s/ShowCode.htm

It has the code you need to force a download of ANY file type (even common types that the browser usually loads... htm/asp/gif/jpg/txt, etc). This also fixes the problem I had with zip files.

This code could be inserted at the end of the same asp file that processes your form, if desired. As the author suggests, however, it might be advantagous to look at reading the data in chunks rather than bit-by-bit... can take a long time for big files. There is no redirect required in this scenario (although ou could add one if you wanted to)... the file is simply read and output straight to the browser.

Hope this helps! I know I learned from it and will be putting it to use.

<% just a test to see if sample asp will show up %>

for those that don't want to go d/l the zip and look at the asp sample, here it is (I didn't write it, but it works for what is needed here!):

<%
' Constants for Reading Text File
Const ForAppending = 8
Const ForReading = 1
Const ForWriting = 2
Const TristateFalse = 0
Const TristateMixed = -2
Const TristateTrue = -1
Const TristateUseDefault = -2

' File System Objects
Dim FSO
Dim TS

' Server File (this is the REAL name of the file)
Dim strFile: strFile = Server.MapPath("saveme.gif")

' File to Save As (this is the name you want to tell the browser)
Dim strFileSave: strFileSave = "saved.gif"

' Tell Browser what the file name is, so it doesn't try to save as "default.asp"
Call Response.AddHeader("Content-Disposition","attachment; filename=""" & strFileSave & """")

' Write out content-type that will FORCE user to SAVE FILE.
' "image/gif" will display in browser
Response.ContentType = "bad/type"

' Initialize File System Object
Set FSO = Server.CreateObject("Scripting.FileSystemObject")

' Open TextStream for Reading
Set TS = FSO.GetFile(strFile).OpenAsTextStream(ForReading,TristateTrue)

' TS.ReadAll DOES NOT WORK. Every Byte must be read and written individually.
' I think you can read them in Chucks, but this was easier. If you know how to
' Read chunks... go ahead, read chunks
Do While Not (TS.AtEndOfStream)
' Output MUST be BinaryWrite
Response.BinaryWrite(TS.Read(1))
Loop

' Cleanup, like all good programmers do.
TS.Close
Set TS = Nothing
Set FSO = Nothing

' You don't need this, but I like it.
Response.End
%>

[CXGJarrod]

Thanks for all your help. I will try your solutions.