One time use passwords for htaccess possible?

[jackfiasco]

Hi. I set up a password protected page using .htaccess for download of my band's album and created 1000 unique usernames/passwords and printed them on download cards for inclusion in our LPs so that purchasers of the record can also get a digital download as well. Currently however you can use each login/password as often as you like. Is there any way I can have a script check each code as it's entered and make them invalid after a certain number of uses?

Thanks!
jack

[djr33]

The short answer is no, but the long answer is that there are other ways to do this.

The most direct way to do that would be to create a directory with the .htaccess and password files as you like, then when they visit a page in that directory (PHP probably, or another serverside language-- ASP, CGI, etc.) that page will delete the whole directory after they're done (or it could change the password to something else, if you don't want to actually delete the files).

However, that's a mess and it's not usually a good idea to actually be deleting files (or even changing passwords) in that way.


The real way to do this is to use a database, along with a serverside language (like PHP). Then you can store all of the codes in the database and when a user types one in, you can look it up. It's also very easy to store whether the code has already been used, or even the number of times. For example, you could limit it to only 5 downloads. This way you can also provide proper feedback rather than just denying access-- "This code has already been used."

In short, what you need is a very primitive login script, but in fact you don't even need to worry about most of what a login requires-- you just need to learn how to use PHP (for example) and a database (MySQL for example) and everything you'll do will be one of the many standard functions of those systems-- getting information, looking for a match in the database and displaying output.


As for why I'm not recommending that you use .htaccess here, it's pretty simple: .htaccess passwords are something like a key to a house, and they're not very flexible. You'd have to "change the locks" (update the system) in order to use a new key, so realistically it's better to use a more flexible system for this, such as with PHP.


On the practical side of things, you should think very carefully about how you want to make this work. Of course you don't want infinite downloads (especially if they're sharing the password with others), but at the same time you don't want to have any technical problems get in the way of users so that they don't get to download the music-- if the download gets interrupted then they might only have half of the file(s) and would be very unhappy to be blocked at that point.
Here are some ideas, and you'll just need to decide which would help in the specific case of your business. Of course you can combine them too, as you'd like.
1. Limit requests to one IP address (or a short list). The first time the code is used, store that IP. Then allow future requests from that IP address, but not from others. Be aware that IP addresses do change, so that same user might not be able to return from the same IP the next day, and they might also use two computers (work and home?), but this would give at least a little flexibility so that they can download as many times as they'd like that first time they visit the site (and probably more times from the same computer later that day or even that week). But then it would inevitably expire, or you could also set a time limit.
2. Limit the number of times, but don't set it to 1. Maybe 3 times is enough, or whatever you think.
3. Add a reset option that requires admin (your) approval. They could perhaps do this as many times as they'd like, but you will stop reseting it for individuals who request the rest 50 times-- but for someone who just loses the files and wants to download them again, it's a reasonable request. (This is an option that software companies have when a program has been registered on too many computers for the license.)
4. Set a time limit for access rather than limiting it to a single time. So give them 1 hour, or 24 hours, or 4 weeks, but stop it after that. That (at least a little time) would mean that, most likely, the download would be finished and not corrupt, and if there was a problem they could immediately download again and fix the problem before the time expired.

Finally, just be sure that these rules are clear to your users-- it would be unfortunate if they didn't understand and didn't get to download their music for some reason.


In general, don't worry so much about this that you give your users a bad experience. Remember that even if you do stop them from sharing the password, they can always burn a CD and give it to their friends, so your goal should be to make it inconvenient, but not at the expense of having a useful and friendly website.

[jackfiasco]

Thanks for the info. I had a feeling this would be the route I'd need to go in to make this work. And yes I'm aware of the fact that downloads get interrupted and all of that so I would just make each code work 3 times or something simple like that.

[djr33]

That's fairly reasonable, but remember that if a user is frustrated (and something is broken), then it's not unimaginable that three tries (or even 10) might be used up just by clicking repeatedly-- similar to "please don't submit the credit card form twice!" warnings.
So what I'd recommend is giving ~3 instances of logins during which the file can be downloaded as many times as needed until it works.

[jackfiasco]

that's what i meant, yes. you log in and can download and stay logged in as long as you want.