Protecting E-Book Download Links Through PayPal - javascript

I'm setting up a PayPal button to sell my e-book on my website, but one tiny problem. During the process, you have to provide a thank you page and specific download link for the PDF file.
Instead of changing it myself, is there a way to make it automatic and random every time a new customer buys? A script perhaps?
But then the thank you page would be the same, which wouldn't work... so I don't know.
Can anyone give me suggestions on how to approach this matter, please?
Thanks.

Usually the way this is done is when a purchase is completed successfully, a server script coins a unique download ID (usually some long sequence of randomly generated digits), associates it with the person who bought it, stores that info in a database and then puts it in a download link and sends it to the buyer - either in a returned web page or in an email.
The buyer can then click on that link which will take the buyer to your server. The server looks up the unique download ID that is in the URL, checks the database, decides if it's still a legitimate download ID and, if it is, it returns that actual download file to the browser with the right content-type so that the browser does the right thing with the returned data.
Your server can then decide how long it wants to keep that download ID as valid. It can be only for 1-3 uses (allowing for the fact that the legitimate person downloading may have had a glitch and had to redownload it), it can be for only a certain amount of time from purchase or from first download or any other algorithm that you thinks suits your business needs. You can age out old, expired records from the DB either with a chron job or in some regular housekeeping function you call.
Sorry, but I do not know enough about the back-end integration options in PayPal to know how to integrate this into PayPal, but this is the general workflow you probably want. If PayPal generates a unique transaction ID that is random enough for your needs, you might even be able to use that in your URL and database.

Related

One click ebook

I am implementing a referral program and giving people and ebook as a reward. Is there a way without using a database to make it so that the ebook is only available for 24 days to the user? I don't want users to share the ebook PDF. What can I put in place to prevent this? I'm guessing I should also update robots.txt?
I'm using node js and JavaScript
Save file as usernameOfUser_deadlineTimestamp.pdf. Now when a user requests a file, simply fetch filenames from the folder and look for file starting with name usernameOfUser. Now, get the current timestamp and compare it with the deadlineTimestamp you get from the filename. If current timestamp is less that deadlineTimestamp, serve the file else show error message. Use fs to determine filenames etc.
The proper solution is to implement some kind of authentication to know who (which user) is requesting the ebook and then some kind of authorization to decide if you will serve him the ebook or not (not if the 24 day period is expired).
These information must be available on your server in any form, and regardless of the form it is a database already.
Now the robots.txt is useless in this situation as no crawler can authenticate as a valid user, so no one can have access to the resource.
The database-less solution is to generate a pretty long link for every user and encrypt the all the needed pieces of information in that link.
So would a link like http://example.com/gvdcwt5f23ydvuztb2ftyuzfydy826ngnuy2u2gfzgnyg2y6gn2gyf6g2f2uynfu contain the user name (or any other identification) and the expiration date. So every time this link is requested the server decrypts it and serves the requested ebook.
robots.txt is still useless as you won't have the ebook available as http://example.com/ebook.pdf and there will be no mention of those long links, no robot will bother to scan your server by guessing working links.
Regarding the handling of the pdf when the user downloaded it, you have no more control over it. You can place copyright notice in the pdf itself to prevent sharing by gentle users, but there is no way of protecting the contents of the pdf file. You can encrypt it, but once user can share it with credentials, you can generate pdf for all users with invisible information stored in it have the ability to identify who shared it if you find a shared copy, but any of these and certainly many others is probably not worth the time spent by implementation of such a "protection".

Javascript - get click another site page link?

I want to know if my website user click in a link in another website so I can show him a thank you message.
I want to get this click in another website link. Is it possible? How can I do something like this?
Thank you
Your question doesn't state whether you control the link you are trying to monitor, or if you are trying to monitor a link controlled by a third-party website. I'm going to assume the later, but if you control the link, then see the first comment to your answer.
The short version is that there is no way to independently monitor a user's action on another website from within your own. To allow this would violate some of the fundamental tenants that networking and the Internet are based on. For example, if I host the website www.reallyCoolRocksToBuy.com and I want to know whether or not you just purchased a really cool rock on Amazon after viewing it on my site, there is no way to directly get this data even though both my website and Amazon's are open in your browser at the same time.
The highest level object you can access via Java or HTML normally (there are always some exceptions) is the Window object of your own page. There used to be a way to have some control over a third-party page that was launched in a window that you spawned, but this is no longer possible, and even it it was, you still wouldn't be able to monitor any links from that site.
The only way to achieve what you want is for the third-party site to be involved in the communication. Many sites have APIs for sending and receiving referral or link information. For example, Amazon has an API that you can use when someone clicks on an Amazon link from your site. There are a number of ways this is achieved, but basically your link sends a specially encoded string to Amazon identifying your site as the referrer. Amazon can this use this string to create and share session information from the visitor. Depending on what your relationship was with Amazon, you might be able to use this session information to find out if your user purchased a pretty rock from Amazon, but it would be entirely up to Amazon to share this information.
Cookies and other local data can also be used to achieve similar results, but again, you have to have the cooperation of the site.

Possible "autoprint" feature requested for a web application

I was asked an odd question this morning--We have customers who have a number of PDF reports hosted on our services which are accessed through https (not a direct file link, but accessed by a rest url).
Customers often print these reports on a daily basis.
The request is that these reports automatically print (could be default printer) each morning.
My initial reaction is to laugh, because obviously this is impossible without some user action. But the more I think about this, the more I am inclined to believe there may be ways. For example, if there is some generic "print" user with limited access, and if the browser is left open, and some Javascript on the login screen checks the time of day, it might be possible to retrieve files at a specified time and print. I don't believe I can automatically print--but at least I can open a print dialog.
I know the request to automatically send things to a far away printer from our web services is impossible. Wondering if I can provide the next best thing, and if anyone has a good idea to share here.

Prevent accidental session hijacking using JavaScript

Okay, this may sound like a stupid question, but this actually is a real life situation I gotta sort out.
The company I work for is using a rather outdated online shop software (PHP) which is hosted on the companys server. Unfortunately, the source code is encrypted and the CMS does not allow me to add some PHP code either, so I guess I'm stuck with JavaScript on this one.
Let's say we have a huge sale start coming up and people start sharing links via YouTube, Twitter, and so on. Due to the software being made somewhere in the last century, some links still contain session IDs which will definitely be shared by some users. This, however, will result in multiple users placing orders on the same customer account or even worse, overwriting existing customer accounts with new customer data.
I know that this situation is far from ideal and that the software definitely needs and update, but this is not an option at the moment. I also know that I'm not getting a 100% solution, so I'm just gonna try to prevent people from accidentally wrecking some customer data.
That being sad, I though about checking the URL for a Session ID and checking the value in document.referrer aswell. If the URL contains a Session ID and the referrer is some other server than ours, I'll just do a quick redirect to the main landing page. Again: This is meant to prevent the average user from accidentally logging into someone elses account due to clicking on a bad link, I'm not trying to prevent proper session hijacking here.
Any ideas on this one? Are there any situations where the referrer might not contain actual values, e. g. the browser not sending referrers at all? Any other ways to sort this out using JavaScript only?

How would I capture the timestamp of when a link is clicked in an Email?

This may be a bit of a tricky one (for me at least, but you guys may be smarter). I need to capture the timestamp of exactly when a reader clicks a link in an email. However, this link is not a hyperlink to another webpage. It is a link formatted as a GET request with querystrings that will automatically submit a form.
Here is the tricky part....The form processing is not handled by PHP or .NET or any other server side language. It is a form engine that is hosted and managed by a cloud based marketing platform that captures and displays the form submission data (So i have no access to the code behind the scenes).
Now, if this wasn't an email I'd say it is simple enough to just use Javascript. However, javascript doesn't work so well with email, if at all (I'm just assuming there are some email clients out there that support javascript).
How would you go about capturing the timestamp for when the link is clicked without using any type of scripting? Is this even possible?
The best solution i could come up with was to have the link point to an intermediate page with javascript to capture timestamp and then redirect to the form submission. Only problem with that is that it will only capture timestamp of page load and not of the actual click activity.
There is no way to do what you want "without any type of scripting". If no scripting is done, no functionality may be added or changed.
The best option is the very one you suggested: use an intermediary page that records the request time. Barring unusual circumstances (such as a downed server), the time between a link being clicked and the request reaching the server will be less than 1 second.
Do you really need a higher resolution or accuracy than ~1s? What additional gain is there from having results on the order of milliseconds or microseconds? I can't imagine a scenario in which you'd have tangible benefits from such a thing, though if you do have one I'd love to hear it.
My initial thought was to say that what you're trying to do can't be done without some scripting capability, but I suppose it truly depends on what you're trying to accomplish overall.
While there is ambiguity in what you're trying to accomplish from what you have written, I'm going to make an assumption: you're trying to record interaction with a particular email.
Depending on the desired resolution, this is very possible--in fact--something that most businesses have been doing for years.
To begin my explanation of the technique, consider this common functionality in most mail clients (web-based or otherwise):
Click here to display images below
The reason for this existing is that the images that are loaded into the message that you're reading often come from a remote server not hosted by the mail client. In the process of requesting that image, a great deal of information about yourself is given to that outside server via HTTP headers in your request including, among other things, a timestamp for the request. Thus the above button is used to prevent that from happening without your consent.
That said, its also important to note how other mail client providers, most notably gmail, are approaching this now. The aforementioned technique is so common (used by advertisers and by other, more nefarious parties for the purpose of phishing, malware, etc) that Google has decided to start caching all mail images themselves. The result is that the email looks exactly the same, but all requests for images are instead directed at Google's cached versions.
Long story short, you can get a timestamp to note interaction with an email via image request, but such metric collection in general, regardless if its done in the manner I've outlined, is something mail clients try to prevent, at least at some level.
EDIT - To relate this back to what you mention in your question and your idea of having some intermediary page, you could skip having that page and instead you would point an image request towards a server you control

Categories