Jump to content

Digital Download Locations


bsmither

Recommended Posts

There are three aspects to a digital download's location:

* as seen in the Digital Options file picker (Product, Digital tab)

* the Custom File Path (Product, Digital tab)

* the Custom Root File Path (Store Settings, Stock tab) -- not applicable to CC6

 

If you use the Custom File Path, all else is ignored. The value you enter here is taken exactly as entered. The term File Path, in this case, also means that there is a File Name attached. A fully qualified web address can also be used. (If a web address is used, Cubecart will send a 302 Redirect to have the browser download the file directly from that address. Normally, the web address of the Redirect is not visible to the casual browser user. But if the user is monitoring web traffic in and out of the browser, the address will be seen in the page request headers.)

Examples:

/home/username/private_dir/store_downloads/digital_file.mp3

(http, or https, or ftp)://www.storename.com/downloads_dir/digital_file.mp3

 

If you use the Custom Root File Path, this becomes the starting point that the Digital Options file picker list window uses to display directories and files, and the Downloads, Upload tab will deposit uploaded files. The term File Path, in this case, is just the path, with no trailing slash.

Example:

/home/username/private_dir/store_downloads

 

If you do not use the Custom Root File Path, the starting point is the /files/ directory in the Cubecart installation that the Digital Options file picker list window uses to display directories and files, and the Downloads, Upload tab will deposit uploaded files.

 

Except for the method used where the web address is sent to the browser in the 302 Redirect response, CubeCart will have PHP send the file, unmanaged, in 8KB chunks to the browser. (Unmanaged means there is no 'resuming' at the point of failure of a failed download.) At no point will the user be able to determine where the file is actually located.

 

That said, if the starting point is somewhere inside the CubeCart installation, the file can be requested directly, if somehow known what the filename is. As such, it will be to your benefit to add an .htaccess file that prohibits directory listing, and prohibits direct access from everyone except a page request referred by your own store.

These lines should suffice:

Options -Indexes

IndexIgnore *

Order deny,allow
Deny from all
<FilesMatch "print.*.php$" >
(See note)
  Allow from all
</Files>

 

Points to consider:

The database table CubeCart_filemanager records the path, if there is one, relative to the file picker's starting point. If you upload files (in admin, Downloads, Upload tab), the files will be stored in the starting point folder. (On the Files tab, you may edit the file properties and change the file's location to a different sub-folder.)

 

If you should open your store and not have entered a Custom Root File Path, have uploaded files (to /files/), then later decide to enter a Custom Root File Path (or change an existing path), you will need to use an FTP program to move the files and folders from where they are now to the new location.

 

The FilesMatch directive could be written to allow any .php file. The expectation is that CubeCart (and third-party developers) will only put files here temporarily - and they will end in .php. All other file types, mp3, mov, pdf, doc, etc, will not be reachable by a web browser.

 

My testing has shown there to be an issue with using a Custom Root File Path. When the file picker window lists the folder(s), I see two entries of the same folder name. (I only have one sub-folder at the starting point for my experiments.)

 

(There is another issue with using a Custom Root File Path, which I think is related to a Windows-based server filesystem. Clicking on the folder name in the file picker window does nothing. It is important to enter the path not using backslashes: L:/WebServer/store_downloads. Backslashes will be removed. There is also an issue with the FileManager saving data to the CubeCart_filemanager table when the database is in strict mode. There will be a 500 Internal Server Error. These issues must be dealt with by someone other than Devellion.)

Link to comment
Share on other sites

  • 4 weeks later...

Hello Sir,

 

Thanks a lot for all your posts, it is very informative.

 

I am trying to build my CC store and I am new to the world of websites and have no knowledge of coding.

 

 

I intend to sell a large amount of digitals via my CC store.

 

Please I have a few questions concerning your post:

 

I would like to store my digitals on a secure Amazon S3 server. Which option should I use?

 

Thanks

Singen

Link to comment
Share on other sites

Hello,

 

I tried using Amazon 3S and after testing a purchase on my CC site with a Custom File Path to Amazon 3S.

 

After testing I decided not to proceed further with Amazon 3S and to store my digitals elsewhere.

 

There are two reasons why I will not proceed further with Amazon 3S :

 

1) They do not cap your invoices which means that you just provide your visa card details and you pay for what you consume without any cap. So let us say someone hacks your site and downloads 1000000 times your digitals then you can get a crazy invoice from Amazon.  

 

2)  When my customer downloads my digital from Amazon 3S (after clicking the CC link that is sent to them via e-mail) they can see the URL of my digital on Amazon 3S servers. But I guess that I need to read/learn how to solve this technical matter (which I think can be solved).

 

 

So please my question now is: if I upload my digitals via CC, where are they basically stored? They are logically stored on my hosting servers with let's say "Go Daddy". Is it correct?

 

Thanks

Kind Regards

Singen.

Link to comment
Share on other sites

The files are stored at one of two places: the /files/ folder in the CubeCart installation, or a folder outside the CubeCart installation -- as specified by you.

 

If you use the Custom Root File Path (Store Settings, Stock tab), this becomes the starting point that the Digital Options file picker window uses to display directories and files, and the Downloads, Upload tab will deposit uploaded files. The term File Path, in this case, is just the path, with no trailing slash.

Example:

/home/username/private_dir/store_downloads

 

If you do not use the Custom Root File Path, the starting point is the /files/ directory in the Cubecart installation that the Digital Options file picker window uses to display directories and files, and the Downloads, Upload tab will deposit uploaded files.

 

Log in to your hosting account control panel (cPanel? Plesk?) and find the particulars of where your site resides with respect to the file system. The above example is typical of some types of hosted account.

 

If you use the Custom File Path on the Edit Product, Digital tab, all else is ignored. The value you enter here is taken exactly as entered:

/home/username/private_dir/store_downloads/product_file.ext

If the Custom File Path looks like a valid URL, then the URL is sent to the browser with a 302 redirect, and it's the browser's job to retrieve the file from that location.

Link to comment
Share on other sites

Dear bsmither

 

Thanks a lot for sharing your expertise this is very helpful.

 

Please, with respect to security of the digitals, what option is the best?

 

Please the second question is : what are the advantages/disadvantages of each option?

 

Thanks again

Kind regards

Singen

Link to comment
Share on other sites

Concerning the security of the digital files:

 

At no point will the user be able to determine where the file is actually located - either in a subfolder beneath CubeCart's /files/ folder, or in a folder outside CubeCart. Using the same reasoning for the use of "strong passwords", the subfolder can be named something almost impossible to guess. In this case, locating files outside the CubeCart folders gives a slightly better level of security, because a web browser won't be able to get outside of CubeCart.

 

There is always the possibility that a vulnerability will be found with the operating system, the web server, PHP, someone's application (like WordPress), or whatever, that when exploited, will allow someone to have access to the entire server machine where your account is located. In this case, the level of security is equal.

 

There is not much you can do to secure your hosting provider's server machine, except be vigilant about maintaining whatever applications you have on your account (such as WordPress) by keeping it up to date.

 

Finally, there is implementing Digital Rights Management (DRM). When your digital product has been sold to a customer, what technology have you acquired to restrict the use of that digital product to that specific customer?

Link to comment
Share on other sites

Dear Brian,

 

Thanks a lot for the reply, it clarifies many points :)

 

Concerning your question regarding DRM, please receive some clarifications about my business project: 

 

  • I have created 500 business forms and templates under word and excel.
  • My target customers are professionals who need to prepare forms and templates and do not want to create these forms from scratch therefore they buy documents such as mine in order to customize/optimize them for their needs.
  • I cannot sell these documents under pdf or equivalent but must sell them under .doc .xls .ppt because the customers need to adapt them.
  • The selling price of each form and template varies in average from 1$ to 5$ some complex long questionaires can cost more up to 10$ - 20$ max.
  • I intend to copyright those forms and templates progressively by chunks of 40 because each copyright costs 35$ and I want to reduce my starting investment.
  • So for me there would be no DRM technology to protect my digitals except the regulatory copyright and the US courts in case. Unless you have a DRM option to propose for .doc and .xls files. 

 

Please Brian i have question:

 

If I use the Custom Root File Path and upload a document outside the CubeCart (and therefore of course outside the public_html) so something like:

 

/home/username/private_dir/store_downloads 

 

My question is: do I also need a .htaccess file in the folder called store_downloads  in order to secure my digitals?

 

Thanks

Kind regard

Singen.

Link to comment
Share on other sites

"Do I also need a .htaccess file in the folder called store_downloads (that is outside the CubeCart installation) in order to secure my digitals?"

 

No. The .htaccess file is used by the web server to control how the web server behaves on a folder by folder basis within the website. I am not an expert on web servers (such as Apache), but I am of the opinion that a web server will not go outside a web site based on commands found in an .htaccess file. Again, I am not an expert on that.

 

I am not a lawyer. Having said that, I know that the act of creating your idea of a business form and expressing that idea in a realizable (generally, tangible) form is sufficient to copyright it. Your business needs may benefit from having registered your forms with the U.S. Copyright Office, so I hope you received correct legal advice regarding that.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...