Is your CB Thank you page SECURE?

Hi everyone,

I had a problem with setting up my Clickbank thank you page, the problem being that the thank you page becomes publicly available. I wanted to deliver my downloadable product upon the end of the purchase for direct download. But thats a problem coz the thank you page could be misused and the product made available to anyone.

So i wrote a kind of clever script that solves this problem, still delivers the downloadable product on the fly but its never available to the public.

I was wondering how you guys deliver your clickbank products. Am thinking about making this into a product, would like to know if this would interest clickbank users.

Thanks in advance.

 

if its a simple setup then I would probably be interested

 

It's easy to setup, and does the job well. PM me if you want more information.

 

Forgot to say it works on PHP btw

 

If it is on a server, it is always available to the public- just sayin'.

 

Not really, its only available if the public knows where it is on the server

 

Clickbank offers a PHP solution for making your thank you page secure. The only thing it wouldn't cover is an affiliate/publisher who knows how to make the query string authentic. My thank you pages check the variables clickbank sends as well as my secret key and if it's true the get to download the product, if false they get a "restricted access" message.

I'm sure your script operates on the premise of clickbanks pass-through variables so it wouldn't be anymore secure than theirs; however, I guess you could implement a unique session variable, but that still leaves it open to people who know how to manipulate clickbanks query string.

So to the publishers, just use clickbanks solution. It's as secure as you can get without processing the payments yourself.

Also, editing the query string would only work if you knew the publishers secret key... so they would have to buy the product, get the query string, return the product and than distribute that URL. Sure you COULD crack it, but it uses the sha1 encryption algorithm so it would take a VERY long time. If you want to learn more just google public/private key encryption. It works similar to that. You know the 'public' key (cbpop in the query string), but only the publisher and clickbank know the private key to unlock it and tell whether you actually bought it or not.

My 0.02 cents.

 

Actually no, it doesn't use clickbank's system at all. I can confidently say its 100% secure and impossible to break (as daring as that sounds). It's kind of an "out of the box" method.

 

domado, i don't mean to argue, but anything can be broken... AND using clickbanks cbpop url value is probably the most secure way to secure your thank you page. I've thought about other ways to secure it, and that way seems the best. A person would need to know the private key in order to break it... or a lot of processing power.

I hope you're not using sessions to secure the thank you page, because sessions wouldn't really be a good idea.

For the effort it takes to implement clickbanks solution and being based on public/private key security it really is the best way to go.

 

Hey andrew, no thats cool. Sure, I agree with the anything can be broken part. What I don't agree with, is saying my method wouldn't be as good as an other, without knowing anything about it, just because its commonly believed that the method you are talking about is the most secure

It could happen that something new comes up that you haven't thought of or thats not main stream, I would appreciate if you could at least respect the possibility and maybe ask and listen before bringing down my idea. Thanks.

 

Very true, and I'm sorry about that. What method are you using to keep the thank you page secure?

 

Be sure to use robots.txt to keep it out of google, Or ask them to remove it, I've seen a helluva lot of thankyou pages indexed.

 

No worries andrew,

The method is extremely simple, not so elegant, but still effective. Extremely easy to integrate though. What it does is, the thank you page requires a certain code in the query string...for example:

.../thankyou.php?id=3829704293343

it will only show if you use that code...now of course that's not all when the user lands on that page, the php script changes this code in the database (or file) and logs in to the clickbank account and changes the thank you page to the new code

In other words, the thank you page is constantly changing with every sale (or so many sales, you can configure it) and theres always ever one code that will show the thank you page, and no one can ever know it...its only stored in your database and your clickbank account.

Like I said, not so elegant, but effective and easy to set up...all you do is upload the script, set your clickbank details and its done. It uses a secure connection to login to your clickbank account so no way to intercept it.

Would like to hear your feedback...I may be wrong on this

 

Are you using curl to login to clickbank? It is quite an elegant solution, your simply adding randomness to clickbanks checker. And randomness is a really good security feature . The only thing I *might* get concerned about is if you weren't using curl, as I don't know how secure it would be than.

 

it uses curl thanks for the positive feedback

 

oh...not sure if i made it clear...it doesn't use clickbanks checker at all actually...

It just uses the plain simple static thank you page field on your product profile...simply changes it after every sale...the only way you will ever get to the current accepted thank you page is through making payment...after which the static thank you page will be changed and the same situation is reset

 

ah, I get it now. Seems to be a round about way of doing it, and you really don't verify whether they've bought it. I think your solution would work, but there could be some potential security issues (logging in remotely, even with ssl); however, if you integrated your solution with clickbanks I think it would improve theirs.

 

What happens if two sales occur almost at the same time?

And then...

What happens if the sales happen in one order, but the downloads happen in the opposite order?

 

Actually I thought about that, so one code doesn't just expire, there's a delay before it expires, so both codes are valid simultaneously for a while, then the other drops...

And downloads are separate...once the thank you page shows, you get a temporary link to the download, which expires is so many hours. So if you've been able to visit the thank you page, that means you've paid, and so you have your own unique link.

 

I Protect my content from abuse and thefts with this software www.fixmythankyoupage.com
It is very easy to install and very effective TYPage Protector integrates with Clickbank sales data, the software will check to make sure a successful payment has been made before releasing access to your thank you page.