Howto forbid anonymous users from downloading files from hot links

greeting · 09-21-2006, 02:31 AM

Hello, friends!

I would like to forbid anonymous users from downloading files from hot links (e.g; http://www.mysite.com/pics/secret.jpg). But, I would like to allow logged in users to download that files from hot links.

I am using Apache Web Server, PHP and mySQL.

Regards,
greeting

DeNayGo · 09-21-2006, 05:41 AM

One way would be to put the pictures in a folder that can't be accessed from outside, and use a PHP script, like http://www.mysite.com/pic.php/secret.jpg, to load them. Then, that script can always check if the user is logged in.

zero_g · 09-21-2006, 08:33 AM

If your host allows this, try htaccess...

http://www.javascriptkit.com/howto/htaccess.shtml

greeting · 09-22-2006, 02:55 AM

Hello, zero_g!

I refered to the following site http://www.javascriptkit.com/howto/htaccess10.shtml
and fill the following lines

Code:

RewriteEngine on
RewriteCond %{HTTP_REFERER}!^$
RewriteCond %{HTTP_REFERER}!^http://www.mysite.com/.*$ [NC]
RewriteRule \.(gif|jpg)$ http://www.mysite.com/angry/angryman.gif [R,L]

Unfortunately, I got the error RewriteCond: bad argument line '%{HTTP_REFERER}!^$'

If I comment out that line, it is working properly. What's wrong with me?

Friend DeNayGo, I interest your idea too. But, I have no idea how I should do for the time being.

***I am running apache on winXP.***

Regards,
greeting

pankaj99 · 09-22-2006, 05:00 AM

I don't know much about javascript.
correct me if I'm wrong.

what you can do is
1)when a user logs in assign a "session id" to him
so anonymous users do not have a session id.
2)when a user clicks on a link jump to a function
in javascript .
I think in javascript there is something like
"onclick=myfunction()"

3)in the function check if the session id is set
4)if session id is not set give out an error message
else session id is set redirect the logged in user to the file.

Proud · 09-22-2006, 05:28 AM

pankaj99, you seem to be misunderstanding a vital part of JavaScript, that it is client-side not server-side. This means you're trusting the browser's user to not just read the script source and find the file's location. Session ids are maintained by the server, and although they may be stored in a cookie or appended to urls in a page, trusting the client's end to check that some passed value is set to some 'allowed' flag is again flawed. The server should decide if it has recieved authentication from the client, and either deliver simply a yes or no page, not one containing the secret information but attempting to hide it or check at the client's end.

pankaj99 · 09-22-2006, 07:39 AM

proud,
yes you are correct.
Then maybe the OP can verify the session id using
a server side scripting language like php.
then allow a user to download if it is set else not.

Proud · 09-22-2006, 07:43 AM

That would seem to be what DeNayGo concluded too.

zero_g · 09-22-2006, 08:19 AM

I was thinking of using the password protection...

http://www.javascriptkit.com/howto/htaccess3.shtml

However, the simplest approach for you is what DeNayGo suggested
since you are using PHP already and have implemented
a session id.

.htaccess is just basic security so you can control access
to files easily without much scripting or having to implement
a session id.

greeting · 09-22-2006, 11:27 PM

Dear Friends,

I have added the following .htaccess file to my pics directory (Let's assume that nobody knows pics directory

). Even they know (if I keep secret that folder, how they can know?) the hot link, the following lines will prevent hot linking. Right??? (I am not sure. If I make mistake, please point me out.)

Code:

RewriteEngine on
RewriteRule \.(gif|jpg)$ http://www.mysite.com/angry/angryman.gif [R,L]

And I have added the download.php file to home directory. It checks whether guests or logged in user. It use php's readfile() function and read file from the pics directory(secret directory). So, logged in user can download file.

Can I say my secret.jpg is secure, now????????

Further more, I would like to know these:

The following line wants to mean empty referer is allowed? (!^$ means NOT empty)
(*** Apache blame me it is error. I've posted about that case ***)

Code:

RewriteCond %{HTTP_REFERER}!^$

And The following line wants to mean will allow only for http://www.mysite.com?

Code:

RewriteCond %{HTTP_REFERER}!^http://www.mysite.com/.*$ [NC]

Regards,
greeting

jiml8 · 09-24-2006, 11:02 AM

It would be more secure if you move your pics directory to a location above the root of your website. Then, visitors from the web cannot get to the directory, but your PHP script can.

greeting · 09-25-2006, 04:48 AM

Thank you, Jiml8. I have never thought like that before.

slantoflight · 09-25-2006, 09:14 AM

This simple bit of html is guaranteed to work.

Code:

<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="content-type">
<title>Hot linking is bad!</title>
</head>
<body>
<font size="+3"><span style="font-weight: bold; color: rgb(255, 0, 0);">Anonymous
hot linking is forbidden!!!!</span><br style="font-weight: bold;">
</font><br>
<br>
</body>
</html>

The text is foreboding on its own, but I think its the red text that really locks out thieves.

greeting · 09-26-2006, 12:44 AM

Dear slantoflight,

What do you want to mean? I can't catch your idea.