I'm having some trouble implementing the LimeLM web api and I was hoping someone who's a bit more experienced with this could give me some guidance. Here's what I'm trying to accomplish:
The user is sent to a php webpage where they must enter their product key or email to download a file. If the LimeLM API finds the product key (using LimeLM::FindPKey), then the PHP script downloads the file from a hidden, htaccess-protected directory. I'm trying to get an extra level of security here, so I don't want to expose the direct location of the files on my server (hence using readfile from a PHP script since the htaccess file for that protected directory will only allow server-side access).
So the general layout is:www.domain.com/download.php (page where user goes to download the file by entering their product key or email)www.domain.com/LimeLM.php (classes from LimeLM web API)www.sub.domain.com/.htaccess (deny from all)www.sub.domain.com/files/secretfile.zip (protected file that we want to download if key is authenticated)
I'm a little new at this, but I'm hoping by the end of this I can have some complete example code here to help anyone else who might encounter something like this. It seems like a good way to restrict download access, since someone would have to give away their product key to share the download link. That would obviously let you know where the leak came from and you could take the appropriate action.
Does anyone see any issues here with this approach? Any security flaws that I should look out for? I plan to use something as simple as readfile("www.sub.domain.com/files/secretfile.zip") if the product key they entered is valid.
Thanks in advance!
