Need some file path obscurity / PHP encryption magic

[ImagesAndWords]

Hey hey every1,
I'm setting up a sales page for a digital download product, where I (naturally) want to obscure the actual file path of the download to avoid abuse and spreading of the actual link.

Ideally, I want:
1) The href/download path to be shown as encrypted in the status bar when hovering over it (I got this figured out with base64 encoding)

2) When clicking on the link to download it - the actual file path should not be shown to the user anywhere. The address bar should read as an encrypted path like www.mysite.com/download.php?here=cd8sdbn2cd9az

3) Most importantly, the encrypted link should change every time - but here is where I run into trouble. If I tell base64 to encode a "secret path" string (such as a server-side folder name where the file actually resides like /myfileishere/file.txt), this path will have to be the same every time, and this kinda defeats the purpose. Obviously the actual file path should be permanent, but how can I randomly variate and expire the URLs given to visitors?

In other words - I would like for the encrypted URL / visible download path to expire after 24 hours or so that a brand new encoded string is given to each new person who downloads. How can I do this? I've seen it done before, but would like to learn the (PHP code?) "magic" behind it.

Thanks a lot!

 

[gutterseo]

If you dont want the buyers to have individual accounts (which would be the best way to do it) on the site you could create a new page with a random string for the url and insert a row into the database with the page and the date created, then on each page use a function that checks the database and if more than 24 hours have passed since it has been published redirect the visitor elsewhere on the site.

 

[ImagesAndWords]

Thanks,
Do you think it's doable without a database?

 

[Hammi]

If you are creating limited use links you have to store the information somewhere. You can probably store it in flat text files if that is simpler for you than a db.

 

[Jake232]

Thanks,
Do you think it's doable without a database?

It could be done with a text file, but I wouldn't recommend it. Stick with a DB.

 

[uplinked]

lol at all above posters. databases, lol.

how about

download.php?expire_time_but_actually_name_this_variable_something_cryptic=base64(time() + 3600*4)

edit, followup -- if you're super paranoid that someone wants your shit bad enough to base64 decode your URL parameters, you can add further obscurity by, e.g., dividing the expire_time by 329.2 (and re-multiplying it by this value when authenticating) or even straight-up encrypting it (ala GPG) using a passphrase that's not publicly disclosed.

for example, the link -->
download.php?expire=gpg(expire_time, "my secret")
the code -->
if(time() > gpg_decrypt($_GET['expire'], "my secret")

all examples are psuedocode, idk how to do gpg from php, but i bet it's not terribly complex.

 

[nakto]

if you dont mind to install lighttpd for downloading the file you can check out this. Lighttpd - Docs:ModSecDownload - lighty labs

it gives also good scripts for hotlink protection, what you want just google hotlink protection script, (but dont use the ones where .htaccess this will only work on images).

 

[zxcvb]

idk how to do gpg from php, but i bet it's not terribly complex.

Easy, and function names are intuitive.
PHP: GnuPG Functions - Manual