Download by redirection

[Isabella]

I know that for security reasons the attributes for downloadables should be set to "Download by redirection". If I do that, I get an error message telling me that "I do not have permission...etc."
If I turn off to 'false' it works fine.

I came to the forum looking for answer and found a thread where it says that in cases like this, the problem should be directed to the hosting company.

I was ready to contact my hosting company but I can't find the thread where it explains what the problem is.

I need either the link to the thread or some explanation of what it is that I should be requesting from my hosting company so that my downloadables work with the "Download by redirection" on.

Thank you.

[DrByte]

See the details in your /pub/.htaccess file -- the comments in that file in that folder explain the server requirements which you will need to get your hosting company to take care of.

[Isabella]

See the details in your /pub/.htaccess file -- the comments in that file in that folder explain the server requirements which you will need to get your hosting company to take care of.

Thank you for your prompt response. But, the only file inside my 'pub' folder is 'index.html'

[DrByte]

Lemme guess - you're using Windows.

Filenames starting with a "." are treated as "hidden" files. Your PC probably hides them by default, and your FTP program probably also has itself set to hide them by default. You should tell your FTP program to not hide dot-prefixed files.

Here's the information you need, copied from that file:

## the following line is needed to allow Download-By-Redirect to work
Options +FollowSymLinks

#
# This is used with Apache WebServers
#
# The following blocks direct HTTP requests to all filetypes in this directory recursively, except certain approved exceptions
# It also prevents the ability of any scripts to run. No type of script, be it PHP, PERL or whatever, can normally be executed if ExecCGI is disabled.
# Will also prevent people from seeing what is in the dir. and any sub-directories
#
# For this to work, you must include either 'All' or at least: 'Limit' and 'Indexes' parameters to the AllowOverride configuration in your apache/conf/httpd.conf file.
# Additionally, if you want the added protection offered by the OPTIONS directive below, you'll need to add 'Options' to the AllowOverride list, if 'All' is not specified.
# Example:
#<Directory "/usr/local/apache/htdocs">
# AllowOverride Limit Options Indexes
#</Directory>

Summary:
Your server needs to support these:
- "AllowOverride Limit Options Indexes" OR "AllowOverride All"
- AND "Options +FollowSymLinks"

[Isabella]

Thank you DrByte, I will pass this to my hosting company. They have always been very willing to help when I asked for help. :)

[Isabella]

Okay...
I passed the information above to my hosting company and sent them the information above. After a few hours, they sent a message telling me that they had done what you suggested and asked me to test the site to see if I was still receiving the error/forbidden message.

I did a test with a purchase and the problem continued. So went to the administration area and turned off the "Download by Redirect" and turned on the "Redirect by Streaming' and it is working!!

My question now is... is this safe? Is there anything else I should do? Thank you.

[DrByte]

Should be fine

[Isabella]

Should be fine

Hi DrByte:
Well, I got excited too soon. I believe I had not set it to "Download by Streaming" when I did the testing purchase. The 403 error is there when I turn the "Download by Redirect" even though the hosting company said they did what is suggested here. I do have to say that they contacted me this morning asking my administration details for them to recreate the problem and work on it.

But my question below here is because I've been reading almost every post related with downloads and security and found THIS ONE about moving the download folder.

So, this morning, I started doing it and moved the download folder to home/myusername/download and everything went well, until I tried to change:

This: define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');

To this: define('DIR_FS_DOWNLOAD', '/home/my_user_name/download/');

According to the instructions, these two configure.php files need to be modified to show the new paths:
- /includes/configure.php
- /admin/includes/configure.php

From my cpanel, I was able to change one of the configure.pnp files, but I got a 'Permission Denied' on the other one, therefore I was not able to complete the transfer of the 'download folder' that would be the solution to the security problem.

Any suggestion why I got permission denied on my own cpanel? I would like to be able to do it without having to contact the hosting company.

And... when the 'download by redirect' is turned off, are the files still in danger of being stolen even when I set it to 1 or 2 downloads? Thank you.

[DrByte]

From my cpanel, I was able to change one of the configure.pnp files, but I got a 'Permission Denied' on the other one, therefore I was not able to complete the transfer of the 'download folder'

The configure.php files are usually set to 'read-only', specifically so that unauthorized changes can't be made without some effort.
You'll need to use your cpanel file manager to change the permissions to writable. Then save your changes. Then put the permissions back to what they were.

[Isabella]

The configure.php files are usually set to 'read-only', specifically so that unauthorized changes can't be made without some effort.
You'll need to use your cpanel file manager to change the permissions to writable. Then save your changes. Then put the permissions back to what they were.

Done! And downloads running well! Thank you!