Phoca Forum

Hello,

I am trying to setup the ability to download using unique tokens, as detailed in your documentation, but am having difficulties - but only on certain browsers, which is odd.

My setup is as follows:

• Hidden, public, menu item created of type "Phoca Download » Download View"
• Published, authorised, and public file uploaded with security token generated
• Unique download link contains the menu item name e.g. www.example.com/download/[download-token]
• I have a HTML template override for the download page, but the same issue occurs with the default HTML
• Phoca Download version 3.1.4, Joomla 3.8.12, PHP 7.0.32

The "Download file" button is a link with target www.example.com/download/[download-toke ... r-token]=1. Clicking on this link using the latest version of Chrome (70), Firefox (62), Internet Explorer (11) and Edge (40-something) causes the page to change to www.example.com/download/ and display "File not found". Clicking the link using Safari (12) successfully downloads the file and the page does not change.

I tried to figure out why it worked in Safari only by using the web developer consoles built into the browsers, but it didn't help much. However, when the download link/button was clicked in Safari, an error message appeared in the console: "Failed to load resource: Frame load interrupted" alongside the link that is loaded when the download button/link is clicked.

Are you able to offer any advice on how I can get the unique download link working on other browsers? I've had a browse through the documentation and forums and couldn't find anyone else asking about this, nor anything that looked odd in the code.

Thank you

Hi, hmmm:

"Failed to load resource: Frame load interrupted" - I don't think, this will be somehow related to Phoca Download (there are no frames, ...)

Testing now the download in Firefox and Chrome (Joomla! 3.8.12, PHP 7.2, PD 3.1.4)



When you disable SEF feature only for test, do you get the same problem?
(disabling SEF, going to File Edit, copy new link and test it)
Jan

Hi Jan,

Thank you for getting back to me. Disabling SEF did not make a difference, but I think I figured out why it isn't working: cookies.

As the site is hosted in the EU we have to block all cookies until a user accepts them (using EU e-Privacy Directive), if a user accepts cookies they are able to download the file ok. However, our site only really needs cookies if you need to log in to the website - so we don't display one of those anying cookie permission popups to the (majority) of users who use our site without logging in - giving them a better web experience. Ideally, users who don't log in shouldn't have to accept cookies to download a file through the token system, but I don't know how it works under the hood.

Does Phoca download need cookies for the unique token download feature to work or would it be possible to do so without them?

Regarding me saying that it only worked in Safari, I'm afraid my testing wasn't as thorough as I intended. Removing cookies in Safari or using a private window also gives the aforementioned error.

Thank you.

Hi, I think on the site to download there will be just standard Joomla! cookies, but for the Phoca Download link, no cookies are used becasue the password/token/key is set in URL (so there are no checked stored cookies like when you login but just the URL)

Jan

Hi - yes, I think that is the problem. The unique token download does not work when the Joomla session cookie is not present. Indeed, looking at the code in PhocaDownloadRoute.getDownloadRoute(), there is a reference to JSession.

It might be worth updating the documentation to say that the unique token download feature doesn't work if cookies are disabled - unless you think there is a workaround?

Thanks

Hi, sorry I don't understandw what you exactly mean, can you please point to the code exactly so I can take a look at it.

Jan

Hi Jan,

Apologies for the delay in my response.

In the /administrator/components/com_phocadownload/libraries/phocadownload/path/route.php file, there is a method called getDownloadRoute. This is called by /components/com_phocadownload/views/download/tmpl/default.php.

I don't know much about Joomla, but the code in the route.php file seems to be making use of a Joomla session (JSession::getFormToken()). When all cookies are blocked by a website, this includes the Joomla session cookie. So my thought is that the behaviour of code that tries to use Joomla session may not be as intended when there is no Joomla session cookies.

This would explain why the direct download did not work when all cookies were blocked, but did work when cookies were enabled. It was not that a Phoca Download cookie was being blocked, but that the Joomla session cookie was being blocked.

I may also be completely wrong - but I hope this makes more sense.

Hi,
JSession::getFormToken()

is standard Joomla! method, which ads token to the url. Token is used for the links and forms to know, that the form or link is really coming from the same site (so in fact you send the token and it is checked by controller to know, it is still a part of the same site)

You can try to remove the token here:
administrator\components\com_phocadownload\libraries\phocadownload\path\route.php
line cca 244
FROM: TO: but not sure if you will not get token problems on your site.

Jan