0

I'm having a download application and I want to encrypt the links for file downloads, so that the user doesn't know the id of the file. Furthermore I'd like to include date/time in the link, and check when serving the file if the link is still valid.

There's a similar question asked here, but I'm running into problems with the character encodings, since I'd like to have urls like /file/encrypted_string/ pointing to the views for downloading, so best would be if the encrypted result only contains letters and numbers. I prefer not using a hash, because I do not want to store a mapping hash <> file somewhere. I do not know if there's a good encryption out there that fulfills my needs...

Improve this question

4 Answers 4

Reset to default
2

Sounds like it would be easy, especially if you don't mind using the same encryption key forever. Just delimit a string (/ or : works as well as anything) for the file name, the date/time, and anything else you want to include, then encrypt and b64 it! Remember to use urlsafe_b64encode, not the regular b64encode, which will produce broken urls. It'll be a long string, but so what?

I've done this a few times, using a slight variation: Add a few random characters as the last piece of the key and include that at the beginning or end of the string - more secure than always reusing the same key, without the headaches of a database mapping. As long as your key is complex enough the exposed bits won't be enough to let crackers generate requests at will.

Of course, if the file doesn't exist, don't let them see the decoded result...

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Pefect, didn't think of base64 before. tooksome playing around to find out to convert the string before decoding from unicode to string, but was exactly the solution i was looking for!
1

By far the easiest way to handle this is to generate a random string for each file, and store a mapping between the key strings and the actual file name or file id. No complex encryption required.

Edit: You will need to store the date anyway to implement expiring the links. So, you can store the expiration date, a long with the key, and periodically cull out expired links from the table.

Improve this answer

3 Comments

Well yes I know, as I said if possible I'd prefer to not store any additional data, because the links should also be valid for a short amount of time, and this makes it necessary to generate many of them (which also should get cleaned up if outdated)...
Also, note that you can remove the expired links for example only once per day, you don't have to schedule an action at the exact time of expiration.
The problem is that I'd need to generate pages that have 20-50 links, which would mean as many inserts in the database when generating the page... If I'd generate the links on the fly I could code an expiry time in them so no need to store anything...
0

If your problem is just one of encryption and decryption of short strings, Python's Crypto module makes it a breeze.

Improve this answer

Comments

0

You can encode any character into the url, with django, you may use it's urlencode filter.

However, generating a random string and saving the mapping is more secure.

Improve this answer

1 Comment

If you read the example given in the question you'll see that I did, but if I use the encoded string in urls like /endcoded_string/ and not as a GET-parameter, the server gives me http error 400.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.