I'm using PHP & MySQL to limit access of downloads to unregistered users.
The only options I see to do this are cookies and/or IP address.
Cookies is not a good solution, seeing as it's important that a user can't reset their download count by deleting their cookies - as the idea is that they pay if their usage is above a certain level.
That leaves me with restricting the access by recording the IP address in PHP and inserting it into the MySQL database. The problem with this traditionally is that some people are on dynamic/shared IPs, and so the count will mean nothing to them, and could even stop other potential customers from having their free downloads.
But then again, virtually all of my sales are from Western countries, and it seems that most people in the West are now on a static IP address... is this correct?
What would be the best solution for this dilemma? Any thoughts?
You can better identify a unique user by using a mix of tactics then just one tactic. Combining the IP address, a cookie and the browser's user agent can give you a unique key for a client. I also recommend embedding a JavaScript snippet that sends OS, Screen size, etc.. etc.. to the server to be associated with the unique user.
You then use a step down approach to regulate access. User's who provide you all the access to the above information, can download the files to their limits. User's who restrict cookies, disable javascript get less access to the files. And you fall back on the IP as being simple a unique ID for the user. If they are on a shared network, then tough for them they should enable cookies.
For people with rolling IP addresses, disabled cookies and disabled Javascript. There isn't really much you can do, but they represent a small percentage of users.
A cookie isn't a good way to ID someone, cause they can delete it, but it will save you some DB execution for looking up just the IP and user agent. So it's more of speed thing.
is this correct?
No.
You can solve the dilemma by creating server side sessions. Users must identify, login. Then you can track all you need to track.
Edit: To recap: You want the client system to require nothing at all but Identify the user. You wish too much at once and obviously you've choosen the wrong platform.
Let's recap more more closely:
Now let me think what is left? Hmm. Well. Nothing?
The only thing you can do is to try to combine as many identification elements w/o making them required on each every own so to combine to a sum of something useful and practicable identifying the user via patterns:
Track that with a server-side session. As written, you need session if you want to start building something sophisticated.
ask from the visitor of your website to supply at least an e-mail or some other information that cant be changed or left at client-side.. cookies,sessions can be cleared, ips may be dynamic..