- This topic has 12 replies, 2 voices, and was last updated 13 years, 4 months ago by
.
-
Posts
-
Hi,
I have installed eStore for Pay per view product sales and as some other users have found everything seems to work fine up to the point where the customer clicks on the encrypted link when they get the same connection refused (111) or connection timed out (110) error. However the other threads seem to have different issues to me.
I have searched this site and the internet high and low as well as been in contact with my service provider again and this was their response:
“The script is trying to perform a loopback connection. A connection to the server from its self. This is blocked at our Firewall to protect the server from attacking its self internally. You should contact the script author who should be able to provide you details on how to resolve this by loading the file and running the script locally without requiring a loopback connection.”
Please can someone advise me how I can go about fixing this!
Would a fix in any way subject my content to security risk?
Look forward to hearing from you.
Thanks in advance!
W
Further information from the service provider:
“What I mean by locally is simple rather then calling a URL (Loopback connection) for example getting the location http://yourdomain.com/this_is_a_script/performing_a_loopback.php
Simply open this file on the server.
open(IN,”/home/sites/yourdomain.com/public_html/this_is_a_file/not_performing_a_loopback.php”);
and then running the code from the opened file.
This does come up every now and then but most programmers will run files from a file on the server rather than making a web request over http.”
Please can someone advise me on what exactly I would need to do to fix this as I am not a expert php programmer nor an eStore expert … hence purchasing this product in the first place :o).
Your help would be greatly appreciated!!!
Thanks!
W
So as it transpires… Thanks to a very talented developer friend of mine:
It seems that for some reason the following code in download.php is being evaluated incorrectly!!!
if ($retrieved_product->downloadable == ‘no’) {
// File is not downloadable through the eStore download manager…
if($retrieved_product->ppv_content == 1) {
// File is PPV content…
$_SESSION = true;
$_SESSION = $file_path;
header(‘Location: ‘.WP_ESTORE_URL.’/mask.php’);
} else {
// File is downloadable, using the browser, from a non-obfuscated source…
header(‘Location: ‘.$file_path);
}
}
So I solved the problem by unchecking the pay per view check box in the Add/Edit Products – Digital Content Details section.
I assume that this could be a bug… or perhaps needs a little helpful explanation in the comments/notes.
Hope this helps.
What specifically were you trying to do, that caused you to want to check the PPV box to begin with?
Hi wzp,
Thanks for your post…
I am trying to create a Pay Per View product site (not downloadable but viewable)… if the downloadable is checked then the user is able to download the html or php page wherein I have embedded a video. I want them to just be able to watch it..
I seem to be able to get the desired result if I uncheck both downable and pay per view check boxes but then theurl is not masked …
In fact on further testing it seems if I just try access the mask.php directly as a url I get the same connection refused error IF I check the PPV check box in the Product Digital Content Details section.
Hope that makes sense.
Please advise.
The Help text on the Digital Content Details section says : “If you are offering Pay Per View content then check this box and uncheck the “Downloadable” checkbox above. For pay per view content, the true URL of the page where the content is embedded (e.g. a steaming video) does not get revealed.”
the PPV checkbox is used for directly pushing a video file to a browser; the “so called OLD” PPV method. If you have a WordPress page, with an embedded video player, you want to do this instead…
http://www.tipsandtricks-hq.com/ecommerce/using-wordpress-permalinks-as-digital-products-apr-1217
Hi,
Ok, I seem to have gotten the APR short codes to work… though not fully tested yet.
However I was wondering if you can explain in a nutshell how I would use these short codes to access content held outside of the publis_html folder, please!! I can’t seem to find anything that explains this adequately.
Thanks again for your fantastic help!
The APR short codes only work on pages (permalinks) hosted on your WordPress site. Using APR is like protecting a page using eMember, content to be protected goes inside the short code.
An unauthorized user will never see the content.
Now then, with that said… an authorized user will see the content. He can share the link to that page all he wants, but without the encrypted APR cookie, the content will not be rendered.
If a rougue authorized user (inside threat) were to save the source code for the page; then it may be possible to access an embedded video if the player gave away the source URI for the video. To counter such a threat, you could host the videos on Amazon S3 and use a plugin like Lightbox Ultimate to securly access the video.
Think of security as a Christmas present… how much wrapping do you want to put your content inside?
Hi wzp,
Is Amazon S3 the only way one can prevent the source URI from being seen and potentially distributed?
And secondly, would it not be possible to use a combination fo the mask.php method and APR so that source code is not visible? If so .. Any suggestions on How?
Thanks for your help!
Use of the “PPV masking” method imposes a performance burden on your server, as do the existing download methods (1 to 7); because they depend on your server acting as a “man in the middle.” The issues have to do with scalability. As the average file & video download sizes increase, so does the processing burden on your server. And when files and videos are hosted “someplace else,” you double your server’s monthly bandwidth usage, because files & pages would first be downloaded to your server and then pushed back out to the buyer; which in effect doubles the size of each video and file you sell to a buyer. The more data that has to be transferred increases the risk of something “going wrong.” And when something goes wrong, you get an unhappy buyer.
By off loading the storage and downloading of files and videos to services such as Amazon S3, you gain several advantages…
1. Server cost savings: Your server is no longer acting as a “man in the middle,” so your bandwidth and processing usage will be significantly reduced. From experience, we know that most sellers cannot afford high end hosting packages. Support for services like Amazon S3 lowers the seller’s hosting package requirements/cost.
2. Increased customer satisfaction: Buyers will experience the satisfaction of more reliable downloads, because you are handing off data transfers to the more reliable, faster and robust Amazon S3 network.
3. Reduced monthly overhead costs: Amazon S3 costs are extremely low. The first year is free, and sellers have reported monthly costs of less than (USD) $1. Because costs are based on volume, your monthly overhead is variable. If you self hosted, you’d pay the same cost per month, if you sold 100 files or 1 file.
4. High end infrastructure: Amazon S3 uses the same network and resources used for the Amazon.com site. They’re not going to “go cheap” on the infrastructure.
Mechanisms like APR (Authenticated Page Redirect), and Amazon S3, secure the sources by “authentication.” We don’t care if the buyer knows the source URI, because they need “something else,” in order to download or view the content.
PPV masking and the 7 download methods are called “security by obscurity.” We assume the buyer doesn’t want to waste the time & energy to figure out where the source is. But if they did figure it out, all bets are off.
Authentication provides a higher level of security than security by obscurity. With security by obscurity, a “script kiddie” can figure it out.
In both cases, we assume the buyer is entitled to see the rendered (page) or downloaded (file or video) content. We are merely controlling the number of times and duration that this can happen.
What we cannot control, is what happens when the content reaches the buyer’s browser. If they are determined enough, they can find ways of saving/recording/capturing the content for future replay or sharing. And with with the proliferation of browser plugins out there, the buyer’s determination is just a Google away.
If a seller wanted to truly protect the content from replay/sharing, after it reaches the buyer’s browser, then they should consider the addition of DRM (Digital Rights Management) to the content.
- You must be logged in to reply to this topic.