best practice for downloadable product?

My RoR site will offer a software product with a freebie reduced
functionality
version and a for sale version. I've done the store site except for the

downloading and credit card processing. For the latter I've
investigated and made
some choices.

But to support downloading the product, what are the best practices?
Are there code snippets available? Is it better to do this with a
'secret url'
or what? I'm a newbie at this particular thing.
If you have a sense of security or other trade-offs, I'd much
appreciate your
input. thanks so much.

minka wrote:

But to support downloading the product, what are the best practices?
Are there code snippets available? Is it better to do this with a
'secret url' or what? I'm a newbie at this particular thing.

Security through obscurity is barely any security at all.

1) Put the file to download in a directory that your rails scripts can
read from the filesystem, but that the user cannot request as a URL.

2) Have the user request a file that is a ruby script

3) Have that script see if the user is allowed to download the file. If
so, the script reads the file from the disk and streams it out to the
user (setting HTTP headers as appropriate for the file type and name).

Hello,

But to support downloading the product, what are the best practices?
Are there code snippets available? Is it better to do this with a
'secret url'
or what? I'm a newbie at this particular thing.
If you have a sense of security or other trade-offs, I'd much
appreciate your
input. thanks so much.

I'm not sure about best practices here, but this simple approach works:

1. Store your product somewhere on the file system where it can't be reached from a URL, i.e. outside the public/ directory.

2. Write an action in your controller which uses send_file [1] to send your product to the browser. You can add in any other behaviour you like in this action such as counting the number of downloads, only sending the file if it's Tuesday and the caller's IP address is an even number, etc.

Hope that helps,
Andy Stewart

[1] http://api.rubyonrails.org/classes/ActionController/Streaming.html#M000072