1

I have a web application which sends a download link to subscribers. Subscribers are able to click the link from their inbox and get access to download a pdf document. It is fine but what I want is to allow the access to pdf document only when link is clicked from his inbox only. I mean if subscriber forwards this email to some one else or tries to paste the link in browser manually it should not work.

Improve this question
2
  • Put a token on the URL or something unique that matches their account Commented Aug 25, 2014 at 18:20
  • You can use a nonce - See this also about a nonce => stackoverflow.com/a/4145848 Commented Aug 25, 2014 at 18:24

4 Answers 4

Reset to default
3

What you want is impossible.

Consider this situation: You email [email protected]. They can view the email via:

a) Desktop mail client
b) Smartphone/tablet mail client
c) Webmail

All three will appear "different" to your server, depending on exactly which client they clicked on your link in. And if the user forwards the email to someone else, say [email protected], the EXACT same link will be in that person's mail file as well, and they can view it via the exact same options.

You MIGHT be able to extract a username or some other personally identifiable datum from the refer IF they used webmail and the webmail system is stupid enough to have webmail.example.com/readmail?userid=someone

But otherwise, no, you cannot assume anything about the incoming click, only that SOMEONE clicked on the link in SOME email.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

All three will appear "different" to your server — It is more likely that they will all appear the same (both as each other and as anyone the link was forward to).
and the webmail system is stupid enough — and to not be using SSL (since browsers will block outgoing referers from it)
that SOMEONE clicked on the link in SOME email — You can't even tell that. All you can tell if that there is no referer header in the request.
@Fred-ii-: what good would that do? I get the email, I forward it to someone else without ever clicking on it, that person clicks, and they're in.
True, true. But, that'll teach the person who forwarded the email in the first place, and won't be able to do it him/herself after; shoots him/herself in the foot for it. ;)
|
1

There is no way to tell if a link was opened from an email client or if it was pasted into the address bar. There is no way to track if an email has been forwarded (webbug images in an HTML formatted email are blocked by most email clients).

If you want to limit who can download the file from your servers, then require that users login and then hope that none of them engage is password sharing.

Even that won't stop them redistributing the file directly.

Improve this answer

2 Comments

Thanks for your reply Quentin! Actually I am thinking, may be I am wrong please correct me if so, is there no way to get any type of information related to particular email address or inbox etc back at the time email is sent to subscriber's inbox? If it is possible then I can save this information in database for recognizing the request from same inbox any time. May be I am thinking in wrong direction but I am not sure. Thanks.
You can send a unique link to each user. That won't tell you the address of the person clicking on the link, only of the address you send it to in the first place.
1

Its not really possible to "protect" a link.

But if your web application require user to login, you can generate a unique link for each of your user, and require him to login before allowing download.

People will be less prone to share their login/password than a simple url.

Improve this answer

1 Comment

Thanks for your reply Fenring! Actually I am thinking, may be I am wrong please correct me if so, is there no way to get any type of information related to particular email address or inbox etc back at the time email is sent to subscriber's inbox? If it is possible then I can save this information in database for recognizing the request from same inbox any time. May be I am thinking in wrong direction but I am not sure. Thanks.
0

I know this is an old question and I'm not sure why it was down-voted, but an idea occurred to me. If you put a common pixel tracker in your email with a token that identified the user and the email edition which, when requested, your server would note the time the email was opened and read (and successive reads). Then if the user clicks the link in the email, a token on the link identifies the same user and email edition. When the server receives this request it could compare it to the last time the matching tracking pixel was accessed. If the pixel was accessed within a few minutes before the link was requested, that implies that the email was opened and then the link was clicked.

If the user book marks the link and uses it the next day, there would be no recent tracking pixel history, which implies that the request was not from the inbox.

This would be easy to spoof, so it shouldn't be used for any kind of security concern. You wouldn't know if the email was forwarded to another person. Their email client would hit the tracking pixel as well.

Many email clients would block the pixel tracking for ever-increasing privacy concerns, so it isn't reliable.

If you're just looking for an indication of usage, this might work.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.