Linklocker Free (encrypt download links)
Development and Programming
I’ve created a module in response to a post here, to replace the LinkLok script from VibraLogix. The current version below of the Linklocker module is free for use on commercial and non-commercial expression engine sites. Simply pass it the URL to a file you wish to allow a user to download (but don’t wish to allow them to know the file’s location) and it will provide a download link that hides the file’s true location. Also, it allows you to create a timeout for the link (default is 5 minutes) as well as lock the link to the IP address of the person who is shown the link. Please read the docs.txt file for usage instructions, examples and more.
I’ve verified it working on PHP4 and PHP5. Please feel free to use it and let me know of any bugs you find. Also, if there are improvements you’d like to see to the script, perhaps eventually in a “pro” version, feel free to leave those suggestions as well.
Mime types have been updated and now support is confirmed for the following filetypes: .pdf, .ppt, .doc, .xls, .rar, .tar, .zip, .jpg, .jpeg, .gif, .png, .wma, .flv, .mov, .mp3, .wav, .exe
Although other file extensions certainly work, these are the ones that I have confirmed. If you can confirm other file types working, please let me know and I will add them to the docs. If you require support for a filetype that you have confirmed does not work, please let me know and I will try to add support for it.
UPDATE : 4/16/2010 LinkLocker has been updated to version 1.5. Module name is now referred to as LinkLocker Free. Bug fix for problem serving .pdf files. Bug fix that was causing IP Lock to always be on. Fixed documentation to properly show how to use debug modes. Added error messages for iplock, expired, and allow_url_fopen not on. To upgrade please uninstall previous version and install new version. I hope you find this module useful.
Download: Please visit the brad-street.com website to download the latest version of LinkLocker Free.
Hi Brad,
A simply fantastic module here so thank you for that. A question and a couple of feature requests if I may? 😉
Question You have stated above that this is free to use on non-commercial sites. How much would you charge me if I were to use this on a commercial site then?
Feature Requests
1 - IP Locking so that a person can’t send on the link to someone else before it expires?
Why don’t I ever remember to RTFM? 😉
2 - Some way of locking the links?
Regarding number 2 above at the moment the module works exactly as advertised but I am thinking that if you provide these links via a template then all the person has to do is to refresh the page to get a new time-locked link so perhaps some way of caching what a person (logged-in user) sees? A toughie I know!! 😊
Thanks again for such a fantastic module! 😊
Best wishes,
Mark
Hey Mark,
Thanks for the kind words about my first module.
As for using this module on a commercial site, I’m going to amend my previous statement and say that this version of the module is free to use on personal or commercial sites. That is, after all, why I developed this in the first place.
As for item #2, I am considering implementing tracking that would allow you to restrict the number of times a user can get a “new” link displayed, but this doesn’t address your question. As for caching the link that they have been shown instead of generating a new link if they refresh the page, I don’t understand the benefit. Could you give me a use case that would show the need for such an implementation? I’m thinking if they are logged in, and the link is locked to their IP, and they are to be shown a link, what’s the harm in generating more than one link to the file? All links generated can be locked to their IP and will timeout, and this will cause no real additional overhead on the system as the links are not currently stored anywhere.
Thanks for the great input!
Hi Brad,
WOW! Excellent news on the commercial part. I may just have a use for this module right away so thanks for that.
As to the other point I was thinking of something like you could provide people with a downloads page where the links would show and say be valid for 24 hours. After that time they can’t download the files any more. As it stands at the moment if they just refresh the page then they will get new links so if they had a link say :
http://www.example.com/my-downloads
and they have 3 links on the page and visit on a Monday then if they went back to the template on the Wednesday the links wouldn’t work any more. I’m not too sure how you would go about doing that though. I was just thinking for download links to purchased items then this would be a good idea so that you don’t have to have loads of links floating around everywhere or better still you could e-mail the page to the user and they would have to download their files within a certain time.
Don’t know if that makes any more sense?
Thanks again for such a fantastic addition to ExpressionEngine. It does exactly what it says on the tin and does it seamlessly. Absolutely brilliant. I can guarantee if you add more functions to this that a lot of people should be very interested in this.
Best wishes,
Mark
Hi Brad,
thanks again for sharing. Nice add-on! And it is a clever idea to register an event handler and therefore make links work through index.php.
Regarding future versions (I have to admit first that I’m a LinkLok URL user, so of course I’m comparing a bit) here are some thoughts when playing with your module:
When installing, having the language inside the module folder seemed to be weird. I now have one in the language folder and one in the module folder - not sure what is intended, but for localization, the language folder seems to be the way to go? Perhaps the installation instructions could be clarified in this point.
Related: There are some messages hardcoded in the source and not in the language file. That of course makes localization difficult.
It would be great if one could redirect users to some (error/download) page instead of the plain error messages that appear now in case of expired links etc. and that have no navigation.
LinkLok URL allows to set a custom key/password to further scramble the URL generated. I didn’t find thus an option in your source code and was wondering if therefore all links would be similar coded in all EE installations using Linklocker … and if some crack might be able to manipulate linklocker URL of other installations if he only plays around long enough with your code? With Linklok URL I feel more secure because he would have to know my secret key as well.
More on (the feeling of) security: As the full real URL is entered in the linklocker tag, everyone looking at the template (or the entry) can access and distribute the real URL. Again comparing, Linklok URL only uses a relative path/filename and has the secret folder containing the files in its setting … that way, the real URL isn’t exposed that easy (moreover, Linklok allows the hidden folder to be outside the document root - but that is optional).
And as a last point: I’m using the Linklok option to write a simple log file almost every time. But with tracking, that would be addressed automatically.
So, thanks again for the development. Perhaps the sketched ideas might be helpful for you regarding the further development of the module. Honestly, I don’t really need these as I’m already using LinkLok. But knowing the difficulties to get that work with EE, I’m pretty sure there is demand for a linklocker module. Keep on the good work!
Markus
@Mark, Thanks for the clarification. I understand what you’re saying and will keep it in mind for future development.
@Markus I will clarify the docs to specify that the language file only needs to go in the language/english folder (as it would with any other module) and does not need to remain in the same folder as the module files. Thanks for pointing that out.
Also, great call on the hard coded errors - it’s an area I’ve been carefully considering. They were originally written for my benefit, to make sure everything worked as expected. I thought (and still kinda think) that if something goes wrong, it would be better to have no output from the module rather than throwing errors. I had intended to remove all error messages. Either way, will definitely remove them from being hardcoded in the script for cleanup. I think your suggestion of a redirect is a great idea, and will likely implement it.
As for the custom key for LinkLok, I believe my security solution is far superior. Rather than a single “master password”, my script implements a custom random separator, as well as random length “interference string” to be mixed with each link. This interference is added numerous times to each link, and is random/different each time it is added within the link making it impossible to decode without accessing the security values stored in the database.
As for the full URL to the file being visible within the template, I feel this is again a superior way of handling it. It is true that someone editing the template can see the complete URL. Normally, I can’t imagine that being an issue though (the person running the site & editing the templates should know the path to the files they wish to share). Passing in the complete URL affords us the added benefit of storing the files on a different server altogether, or storing each and every link on a different server for that matter. Again, hiding them in a weirdly named directory only gives the “illusion” of security. I think I may consider adding the ability to locate the files on the same server outside of the root, though. Good call.
Tracking would be good, but yes, I think I’d prefer to eventually incorporate that into the database vs. log files.
Thanks for all of your helpful input, Mark and Markus!
Brad
Brad,
thanks for these interesting remarks concerning the inner working and ideas behind your module. I hadn’t digged into the source too much, but of course your explanations make a lot of sense. And of course, tracking to the database and being able to look at some logged data from inside the CP makes much more sense than a text log (its just the Linklok option available). Regarding the visibility of the real path, that perhaps only depends on the usage scenario (and the clever setting of permissions for different editors/groups) - and I have to agree that your way is extremly flexible.
Best regards Markus
Brad,
This is killin! I will be trying this out on a couple of sites very soon.
-greg
Brad,
Just to re-iterate what I have already said. This really is a fantastic module. I can use this with Amazon S3 where I am now hosting a lot of download files so I can send out links that will expire and no-one will ever (hopefully?) be able to figure out the link to the download.
Simply a brilliant addition to ExpressionEngine so thanks again for the great work on this one!!
Best wishes,
Mark
Thanks to all for their nice words, and for trying out my module. It’s really satisfying to hear such nice things after spending a week or so buried in code trying to build it.
It’s really satisfying to hear such nice things after spending a week or so buried in code trying to build it.
I’ll bet you were with that one. I don’t even understand it all though am trying to get my head around it as it is a really great addition. Thanks for this one Brad. Hope you have a great week and a little bit of rest now that you have made the first incarnation of this although I reckon you are going to get a lot of feature requests on this one! 😉
Best wishes,
Mark
Nice module. A helpful feature might be to make it work with links other than file downloads. Like maybe a link to another ExpressionEngine template.
Or maybe the feature is there and I missed something.
Thanks, John. I hadn’t really thought about obfuscating links to other pages - never had a need to do such a thing. Could certainly tweak it to do so if you have a need for such functionality.
I do, and it is for commercial use. I would rather donate to you than to LinkLok or take the time to modify the module myself.
John just out of interest (I could be misunderstanding what you are after here though) why would you want to obfuscate page links?
Just wondering what kind of system you are creating when there is quite fine control over template access using member groups on the template access restrictions part of ExpressionEngine?
I know this means that the person has to be logged-in though so I guess that is perhaps what you are trying to get around?
Just curious really 😉
Best wishes,
Mark