How can I "lock" files until purchased by user?

Question

I'm building a site in which users can purchase MP3 files which they can download from their user login area.

In previous applications I've developed, I would allow admin to upload the file and it would be stored under "/Uploads/MP3s/filename.mp3". However, I need to make this secure so that users cannot gain access to these files until they have purchased them.

What is the best, and most secure, way of doing this?

Answer 1

You should have a database where you store which user bought which mp3. Uploaded mp3's should not be stored in an openly accessable folder. Store them in another folder then the httpfolder, but make sure your iis has access to this folder. This way nobody can guess the path to the file because it's not in under the http-root.

Use a download page which checks the download permissions and only then sends the mp3 to the user with Response.WriteFile(filename) and the correct mime-type etc.

Protected Sub ServeMP3(ByVal f As FileInfo)
    Response.Clear()
    Response.ContentType = "audio/mpeg3"
    Response.AddHeader("content-disposition", "inline; filename=" & f.Name) 
    Response.WriteFile(f.FullName)
    Response.End()
End Sub

Instead of "inline" (stream and play), you can use "attachment" to force a file download

Answer 2

Hide them behind a HTTP Handler, Module, Web Service or Page that can check the validity of the request, and then stream the file or display an error/ redirect to the purchase page.

This will have the advantage of completely abstracting away the real paths for the files too...security through obscurity (: