http://qs321.pair.com?node_id=509533

hmbscully has asked for the wisdom of the Perl Monks concerning the following question:

I'm looking for help/suggestions as well as just trying to get this out of my head and see how bad my logic is for this problem.

Basics:
I have a set of .html and flash files in a directory. I want to sell access to these files for a nominal amount for 24 hours. The purchaser will receive an email and purchase confirmation page that will have a URL to access the files for the limited amount of time. I already have a perl script in place to deal with the purchasing.

Problem:
I need to figure out how to generate the random URL string and then expire it after a certain amount of time. This is not a random filename problem, this is a random directory name problem. I also need to figure out where to store the random directory name value so I can access it within the purchasing script (which handles more than just these URL's for sale).

Initial Thoughts:
I will have all the files in a directory and with a cron, I'll run a script to mv the directory to a new directory name every so often. This where the logic gets weird. Because if a person buys the item at 11:59pm on 11/14 and the cron runs at 12:01am on 11/15, then they'll immediately lose access, which doesn't work. There is the thought that we tell the user its only available for 24 hours, but its really available for 48 hours, but then I guess I'd need to have 2 set of files and keep track of which one is still valid to be "sold". And here is where my head starts to explode.

Environment
As a note, I'm doing this on an aging system running v.5.004_04 and while I have most basic modules, adding new ones aren't really an option. If someone suggestions one, I'll gladly look to see if it is installed. The last two times I've tried to have new modules installed it took 3 months and the "unix admins" horked up my 5.6 install (which is why I'm back to the older version). The deadline for this is less than 3 months. I also have no real database to access beyond text files. Thankfully, I am getting a new tasty server running linux and a current version of perl soon. But it still isn't here, so I must continue to toil in an environment from 1998 for now.

Please ask me many questions and point out obvious things that I am not thinking about. I just need other views on this problem.

Replies are listed 'Best First'.
Re: Random directory creation/deletion scheduling logic problem
by GrandFather (Saint) on Nov 17, 2005 at 19:59 UTC

    Rather than create a random directory name, create a link name which encodes expire time and possibly a small numeric key for security (serial number or partial MD5 or whatever). It is then easy to expire access by examining the link names, pulling out the expire time and deleting the link as appropriate. That even scales very nicely to selling n days worth of access.

    There is a hint "keep track of which one is still valid to be "sold"" that only one user may have access at a time. If that is the case the link name should include the target dir name so you can search (using readdir for example) to see if the material is in use or not.


    DWIM is Perl's answer to Gödel
      No, as many users as have purchased can access the links at a time. Its just flash and html, no restrictions on users.

      I'm thinking that I want to change the directory name because there will actually be 4 separate links, i.e.

      http://www.mysite.org/randomdirectory/link1.html<br> http://www.mysite.org/randomdirectory/link2.html<br> http://www.mysite.org/randomdirectory/link3.html<br> http://www.mysite.org/randomdirectory/link4.html<br>

      A buyer could purchase just one, a combination of two or three, or all four at once. Keeping track of 4 different links seems like even more work. Or maybe its not and I'm just imagining all this badly. We don't need real stringent security, it isn't a high stakes selling price.

      But out of curiosity, how would one encode an expire time to a file name?

        You can do the link and time like this:

        http://www.mysite.org/hard_links/link1_200511191927.html http://www.mysite.org/hard_links/link2_200511191927.html

        which sets the expiry time to 19th nov. 2005, 19:27 (local or UT as you like).


        DWIM is Perl's answer to Gödel
Re: Random directory creation/deletion scheduling logic problem
by Kanji (Parson) on Nov 17, 2005 at 20:07 UTC

    The simplest method I can think of would be to password protect the URL using htaccess.

    You can then create a login on purchase and delete it after the 24 hour window without having to worry about moving directories, etc.

    For implementation, I'd start with HTTPD::UserAdmin as it let's you add meta info to htpasswd files really easily...

    $auth->add($username, $password, { 'expired_after' => time + 86_400 }) # ... and then later using cron or something ... my $meta = $auth->fetch($username, 'expired_after'); $auth->delete($username) if $meta->{'expired_after'} < time;

        --k.


      This would be a great solution, but I'm not on Apache. I'm on a really old Netscape Server and as far as I know (from the one old manual I still have), there's no htaccess file in this web server. And I don't have that module and its just easier to assume I'll never have it.

      I don't want to come off as a total naysayer, these are good ideas and I appreciate them, I'm just trying to work within the restrictions that I know I have to work in.

        Netscape has support for .htacces-like functionality via it's .nsconfig files, and HTTPD::UserAdmin has support for DBM files, which .nsconfig's RequireAuth uses.

        As for not having the module:-

        It's a pure-Perl implementation, so there is zero reason you couldn't install it yourself if you're allowed to upload files, with the worst case scenario being you cut n' paste the module directly into your Perl script.

            --k.