lyn.teyla at gmail.com
Sat Mar 5 19:01:21 EST 2016
Colin Holgate wrote:
> I may have missed a reply too. Which one covered the question of the PDF remaining encrypted after the user has downloaded it?
You added the following 5 requirements after my response containing the suggested implementation:
1. The PDF file itself is also to be encrypted with a password.
2. The PDF encryption is not to be performed beforehand using Acrobat.
3. The PDF encryption is to be performed on the server.
4. The PDF file is to remain encrypted upon receipt.
5. The user is to be prompted to enter the password to unlock it.
With your above additional requirements in mind, the suggested implementation would be as follows:
- Store the PDF on the server, somewhere outside the web folder so it can’t be loaded directly by web visitors.
- Get the user to access the system via a HTTPS connection, which is needed for a secure login mechanism anyway.
- The HTTPS connection does all of the encrypting and decrypting so you don’t have to code it yourself.
- The user logs in via your LiveCode Server app, which handles the usual user authentication stuff using cookies and sessions.
- When the logged in user asks for the PDF file, have your LiveCode Server app generate a new password and send it to a command line app that has the ability to encrypt PDF files, such as PDFtk:
- Have that command line app output the encrypted PDF file to a location outside the web folder so it can’t be loaded directly by web visitors.
- Have your LiveCode Server app display the newly-generated password on a page in the web browser, with an accompanying download link which calls your LiveCode Server app.
- When the user clicks the download link, have your LiveCode Server app read from the encrypted PDF file and write it out to the web browser (as with any other web content), and with the appropriate Content-Type HTTP header.
- Since you’re having all data transmitted over a HTTPS connection, the user’s login details as well as the PDF file are encrypted whilst in transit.
- Since your LiveCode Server app is the one deciding whether or not to display the PDF (and any other data) based on whether the user is signed in, access can be effectively limited to that user.
More information about the Use-livecode