Download folder - Securing

Zen Cart Download folder - Securing

In a Windows-hosting environment using IIS, when you create a virtual product using download attributes customers are able to download a product as much as they like by using the following as an example:

Download by redirect (which Windows servers can’t usually provide) is much more secure than without redirect.

However, it’s true that if a user understands Zen Cart infrastructure, they could perhaps figure out how to download directly from the “downloads” folder.

Given that scenario, the following options are available:

1. Zen Cart already provides .htaccess protection for that folder. You could (should) update that file to add the file-extensions for all the types of files in your downloads folder. Thus, people using a browser cannot directly access any files matching those extensions. Granted, if you have redirect off, this may pose a problem. And of course, only works if .htaccess is fully supported on your server. (ie: not on Windows hosts)

2. If you are using redirect or streaming then moving the “downloads” folder into a place outside your webroot will prevent anyone from ever accessing the files with a browser unless they are using the Zen Cart-supplied links in their order details.  This is the most secure approach. It requires physically relocating the folder, and editing your configure.php files to point to the real location of your downloads folder so that Zen Cart has a clue where to find the files it will be streaming to your users.  This works on both Windows and Linux/Unix hosts.
See the related FAQ on How To Relocate my Download folder outside my webroot for better security

Apart from securing your downloads folders/files, Zen Cart also only offers a limited number of download attempts per order, preventing customers from sharing usable links with their friends.  You can configure the counters and even reset individual downloads again via the admin interface.

Still have questions? No problem! Just head over to the Zen Cart support forum and ask there.
In your post, please include your Zen Cart and PHP versions, and a link to your site.

Last modified March 25, 2020 by Scott C Wilson (8e6cbbd).