Here's a challenge: Forcing download

hagen00

Hi Board

I have the following scenario.

I have files that people purchase (3D Studio Max files, that get opened by software that they have installed on their computer).

I want the following. After they've purchased, they will have access to the files to download. However when they click on the file, it should only allow them to open the file (in the software program that they've installed on their computer - i'm guessing the Operating System will handle this).

They should not be able to Save the file and also not be able to find it in their cache.

I thought that by forcing the download (i.e. not providing a link) like this:

   header("Pragma: no-cache");
           header('Expires: Mon, 26 Jul 1997 05:00:00 GMT');
           header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
           header("Cache-Control: private",false);
           header("Content-Type: application/msword");
           header("Content-Disposition: attachment; filename=\"".basename($path)."\";");
           header("Content-Transfer-Encoding: binary");
           header("Content-Length: ".@filesize($path));
           set_time_limit(0);
           @readfile("$path") or die("File not found.");

...would be a start. But this obviously prompts whether they want to open or save. Even if they click Open, the file will still be downloaded into the computers cache.

Can what i'm trying to do be done? Any ideas how?

Thanks

etully

Can what i'm trying to do be done?

Can't be done.
Fundamental rule of the digital world: If you provide it to them, they can save it.

hagen00

Ok, thanks for the reply.

What about the following scenario.

I have application X installed on my home PC. I click on a link to open a file in Application X. Application X does however not download the file and cache it first, but downloads the content straight off the server.

This would mean that once application X is closed, all references to that file will also be gone.

I do believe that you might be correct etully, since I am of the same opinion. That's why i posted here. Maybe some other expert has another opinion?

etully

I admire your reluctance to accept the first simple answer you find and I encourage you to pursue your research.

I will, however, address your question about the scenario you present. When you click on the link to open a file in Application X, the following things happen:

Your web browser sends a request to the web server asking for the file
The web server sends a copy of the file
It goes through your ISP
It arrives at your router
It arrives at your computer
It gets to your Operating System which stores the file in RAM
It gets to your web browser
Your web browser looks at the Mime type and decides which application can use this file (in this case, it's Application X)
Your web browser tells the Operating system to start Application X and open this file
The Application X reads the file from RAM or establishes a temp file and operates on the file from there
When the Application is closed, the RAM is wiped clean and the temp file is removed

There are many many points in that process where the user can make a permanent copy of the data. With a packet sniffer, they could capture the data at step 5. With some clever scripting, it can be captured at step 6. When it gets to step 7, it is often stored in a cache file where it can be copied. Often, the Application X itself will have a "save as" function so you can capture the data at step 10. Finally, when temp files are "deleted" in step 11, there are many "undelete" tools that can be used to reclaim the data from the hard drive. So already we have 5 opportunities to copy the data.

But then all of this assumes that we are using "standard" tools. There is no reason to assume that the user is using a normal version of MS Windows, a "normal" web browser, or even a "normal" copy of Application X. It's possible that the user has written or purchased an alternative version of any of these programs so that when the data arrives, this version of the software says, "I have the data, would you like to save it?" So really, there are many more than 5 opportunities to capture and save the data.

This isn't an opinion, this is a law. If you give the data to the user, they can save it.

hagen00

Yes, thanks for pointing out the details. Makes sense.

An alternative that I might investigate would be letting the user not click on a link, but download an .exe "installer" that would then allow for greater control on the user's desktop with regards to what happens to the file once opened.

Anyway, your detailed response is much appreciated.

etully

an .exe "installer" that would then allow for greater control on the user's desktop

Ok. By the way, when you get that working, bring that to the RIAA and the MPAA, they will pay you a billion dollars for it. Oh, and Microsoft is still trying to figure out how to get that working too so be sure to let them know that you've solved the problem of making bits that can't be copied.

hagen00

lol, yes. That's actually what I told the guy who wants this developed. Not even MS can get it right - he was just looking for a 90% solution, whatever that means.

But I now completely over this problem...

The-Master

You could also tell this guy that surely if you were overcome this impossibility and get them to open it surely they would just be able to save it in 3DS max and have the file anyway!

hagen00

I was wrong when i said it's 3DS max, it's some other software that when you choose save as, it encrypts the file so that only you on your machine can open it again, preventing re distribution.