The security for the downloads folder is based on the .htaccess file in the folder.
The security for the downloads folder is based on the .htaccess file in the folder.
There is an article in the wiki that explains how to put folders such as downloads and such ABOVE he root so there is no public_access to them at all
dosnt get much more secure than that
Zen cart PCI compliant Hosting
Here's the article mentioned by merlin:
www.zen-cart.com/tutorials/index.php?article=280
Thanks for the responses, I moved the downloads folder above the public stuff. But I just found what I think may be a major flaw in the digital downloads stuff. I change the expired data to one day and say have 3 downloads possible. The links for the first and second downloads are disabled after they are downloaded which is good. However the link for the last download can be saved by the customer in their browser and be used indefinitely! For example, I want to sell pdfs, so I could have the link expire in a day or two and have 3 downloads one of them doesn't work or something. But on the last download, after the pdf opens in their browser (since the browsers see the pdf files as document to open and not download) then they can copy the address in the address bar and use it over and over again and send it to all their friends! Is there a fix for this?
For example, this link was the last download 2 days ago and was set to expire yesterday (1 day):
http://book-mate.com/main-site/pub/....fjyxc/yeah.pdf
You can see that anyone could still access the file if they had the password.
Nevermind, it's working now. I guess I had to wait 2 full days from the minute the order was placed even though I said 1 on the product attributes. Oh well, that's a relief.
Pointing you back to the FAQ article mentioned earlier (and the "related articles links" at the bottom of that same FAQ), you'll note that if you're not satisified with how the "Redirect" method works, you could always switch to "Streaming" method instead ... which doesn't link to a physical file (which seems to have bothered you).
.
Zen Cart - putting the dream of business ownership within reach of anyone!
Donate to: DrByte directly or to the Zen Cart team as a whole
Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.