Quick Question - Make page accessible for only one hour.

[erbio]

How can I make a page only accessible one hour from:

http://www.myssite.com/?t=[%c_time12%]

http://www.myssite.com/?t=7:00PM

The time will be given to the page as shown above, the time cannot be formated any other way.

I was thinking it would work something like this:

PHP Code:

<?PHP

if ($tyme < "8:00PM")
include the page
else
echo "this page is no longer accessible, page expired!


?>

The site that redirects to mine after the buyer puchases allows me to do the following:

[%p_date%] (Payment Date, example: January 1, 2009)
http://www.mysite.com/?t=%p_date%

I guess all I have to do is get php to display the date in the correct format as above.

PHP Code:

<?php
$today = time();
$expires = mktime( 0, 0, 0, 09, 30, 2006);
if ($today < $expires) {
include 'download.php';
} else {
echo "expired.";
}
?>

I am also going to make it verify the referrer. I know someone could get in if they REALLY wanted to but it's not that important. The average, honest person will not bother with it.



I appreciate your help!

[dclamp]

your method is not very... safe, if you will. Because the buyer can just change the URL to give them whatever time they want, in return, giving them more time to do what ever you dont want them to do.

[erbio]

your method is not very... safe, if you will. Because the buyer can just change the URL to give them whatever time they want, in return, giving them more time to do what ever you dont want them to do.

Well what do you suggest?

[dclamp]

well. do you want it to be an hour from when they see the page? or like at a certain time in the day?

[erbio]

well. do you want it to be an hour from when they see the page? or like at a certain time in the day?

I want it to expire an hour after they first viewed the page.

I think using the IP address would be unreliable.. hmm...

What do you suggest and thank you for taking the time to reply.

[StrangerInBeijing]

all i can think of is storing the time the user opened the page the first time to a database.
does user's need to be logged in to view the page? if so, just write to the database the time they viewed the page the first time.
otherwise, you need to uniquely identify the user ...but how? a cookie variable (what if user does not support cookies?).....or yeah..ip address

[dclamp]

and you will want to use the server's time, not their time, so this might work:

PHP Code:

//connect to database....
Database will store, IP, hour, minute
$ip_address = $_SERVER['REMOTE_ADDR'];

$sql = "SELECT * FROM `views` WHERE `ip`='{$ip}' LIMIT 1";
$query = mysql_query($sql);
$res = mysql_fetch_array($sql);

//date stored in this format: m.d.y
if ($res['date']) == date("m.d.y")) {
     //so if it is still today then...
     $hourlater = date("G.i", mktime($res['hour']++, $res['minute']));
     if ($hourlater >= date("G.i")) {
          echo "Sorry, your hour is up!";
    }
} 


[erbio]

and you will want to use the server's time, not their time, so this might work:

PHP Code:

//connect to database....
Database will store, IP, hour, minute
$ip_address = $_SERVER['REMOTE_ADDR'];

$sql = "SELECT * FROM `views` WHERE `ip`='{$ip}' LIMIT 1";
$query = mysql_query($sql);
$res = mysql_fetch_array($sql);

//date stored in this format: m.d.y
if ($res['date']) == date("m.d.y")) {
     //so if it is still today then...
     $hourlater = date("G.i", mktime($res['hour']++, $res['minute']));
     if ($hourlater >= date("G.i")) {
          echo "Sorry, your hour is up!";
    }
} 


Thank you so much.

If someone were to send the link to their friends or access the link from another computer will it give them access to the page?

The reason I'm doing this is to prevent users from sharing the download/activation page/form.

[dclamp]

it wouldnt work for the other friend.

It gets their IP address only.

[erbio]

it wouldnt work for the other friend.

It gets their IP address only.

Then how would it work for authorized people?

It looks as if it will work for anyone but just for an hour.

[dclamp]

PHP Code:

//connect to database....
Database will store, IP, hour, minute
$ip_address = $_SERVER['REMOTE_ADDR'];

$sql = "SELECT * FROM `views` WHERE `ip`='{$ip}' LIMIT 1";
$query = mysql_query($sql);
$num = mysql_num_row($query);

if ($num == 1) {
     $res = mysql_fetch_array($query);

     //date stored in this format: m.d.y
     if ($res['date']) == date("m.d.y")) {
          //so if it is still today then...
          $hourlater = date("G.i", mktime($res['hour']++, $res['minute']));
          if ($hourlater >= date("G.i")) {
               echo "Sorry, your hour is up!";
         }
     }
} else {
     $sql = "INSERT INTO `views` SET hour = '" . date("G") . "', minute = '" . date("i") . "', ip = '$ip_address'";
     $query = mysql_query($sql);
} 


there, that should work

[visualAd]

it wouldnt work for the other friend.

It gets their IP address only.

Using an IP address is a very unsafe option. IP addresses assigned by ISP's are normally assigned dynamically and have a lease. Once that lease has run out the IP address will be changed - leases are typically between 1 hour and 1 day sometimes less, sometimes more. Conversely, IP addresses can be shared. Take for example academic institutions and corprate networks. Many of these employ the use of a Proxy server or NAT making iit near impossible to distinguish between two different clients. I don't think I need to mention hot spots and mobile computing.

In summary DO NOT control access to resources with IP addresses.

To answer your questions you have two aims here. First, you need some kind of confidentiality, second you want an expiry time on the resource. As there are two different goals here you need two different approaches to the access control system you want to build.

Building upon dclamp's code - you will should use a URL and in the query string a user ID and hash and a passcode dispatched within an email notification. This will make your page secure to all but man in the middle attacks.

Of course - you cannot stop someone giving the passcode and the URL away; but what you can do is limit the number of times the user gets access to the resource (be aware that dropped connections / browser crashes may mean a user need to access the resource again. However, this is easy to spot because the file will be only partially transferred.

PHP Code:

ignore_user_abort();

$filesize = $downloadResource;
$downloaded = 0;
$hwnd = fopen($downloadResource, 'rb');

if (! $hwnd) {
  // error handling here
}

// grab  1KB of data at a time and spit it out. this is your download.
while (($line = fgets($hwnd, 1024) !== false) {

   // no connection / therefore nothing being sent
   if (connection_aborted()) {
     break;
   }    
   
   echo($line);
   $downloaded += strlen($line);
    
}

if ($downloaded = $filesize) {
  $result = mysql_query("UPDATE views SET downloadCount=downloadCount+1 WHERE id = $id");

  if (! $result) {
  // error handling here
  }

}

//make the user re authenticate when they return by destroying the session
session_destroy(); 


Your table will contain four fields:

userID, accessHash, salt, uri, downloadCount, passCode

The user ID and access hash will be transferred within the URL. The access hash will be calculated by concatenating the timestamp for the current hour , the URI and the salt which is randomly generated.

PHP Code:

$date - getDate();
$uri = 'path/to/file/to/download.exe';

// this is the current hour - will be calculated when the user visits.
$thisHour = mktime($date['hours'], 0, 0, $date['mon'], $date['mday'], $date['year']);

// this generates a random number for the salt - no two hashes for the same
// hour should be the same.
$salt = rand(1000,9999);

// generate the access hash
$accessHash = md5($salt . $thisHour . $uri);

// this should be a random 10 digit alphanumeric string
$passcode = generatePasscode();

// put it in the table
$dburi = mysql_escape($uri);
$result = mysql_query("INSERT INTO views (salt, accessHash, uri, passCode) VALUES ($salt, '$accessHash', '$dburi', '$passcode')");

if (! $result) {
  // error handling here
}

// this is the user ID
$userID = mysql_insertid();

// example URI
// http://www.example.com/download.php?id=23&download=c14cbf164d0a0c25160f5d60efb6b804 


Checking you have the right user will involve two requests.

• The user will request the page with a URL similar to the one given above.
• You will first execute the query to get the accessHash, salt and uri and use it to recalculate the accessHash along with the current time as of the request.
• You will the check both hashes match. If they do you have confirmed that the user has requested the page within the right time frame with the correct user ID. In effect you have verified their identity.
• You will then spit out a page asking for the passcode ensuring their user ID is stored in a PHP session rather than the URL.
• Finally you will then check the pass code and if it is correct start sending the file.

This method will insure the user verifies their identity and confirms the passcode sent in their email as another layer of security. It also subtly imposes a time limit and also ties the file they are downloading to the user. The user cannot change the hash to incorporate a different time because they don't know the salt of the URI. Last by not least the user downloading the file will never know the real location. In fact the file need only ever be accessible to PHP.

I have deliberately left some code out here so you can do some coding and get a feel for how it works. It is quite a secure mechanism and mthodical and can be user with streaming, a file or a web page.

Let me reiterate - DO NOT USE IP ADDRESSES TO CONTROL ACCESS