LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > Programming
User Name
Password
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.

Notices

Reply
 
Search this Thread
Old 09-21-2006, 03:31 AM   #1
greeting
LQ Newbie
 
Registered: Jun 2006
Posts: 17

Rep: Reputation: 0
Post Howto forbid anonymous users from downloading files from hot links


Hello, friends!

I would like to forbid anonymous users from downloading files from hot links (e.g; http://www.mysite.com/pics/secret.jpg). But, I would like to allow logged in users to download that files from hot links.

I am using Apache Web Server, PHP and mySQL.

Regards,
greeting
 
Old 09-21-2006, 06:41 AM   #2
DeNayGo
Member
 
Registered: Jun 2005
Location: Aachen, Germany
Distribution: Debian
Posts: 74

Rep: Reputation: 16
One way would be to put the pictures in a folder that can't be accessed from outside, and use a PHP script, like http://www.mysite.com/pic.php/secret.jpg, to load them. Then, that script can always check if the user is logged in.
 
Old 09-21-2006, 09:33 AM   #3
zero_g
LQ Newbie
 
Registered: Sep 2006
Posts: 6

Rep: Reputation: 0
Try htaccess

If your host allows this, try htaccess...

http://www.javascriptkit.com/howto/htaccess.shtml
 
Old 09-22-2006, 03:55 AM   #4
greeting
LQ Newbie
 
Registered: Jun 2006
Posts: 17

Original Poster
Rep: Reputation: 0
Question .htaccess gives error for %{HTTP_REFERER}!^$

Hello, zero_g!

I refered to the following site http://www.javascriptkit.com/howto/htaccess10.shtml
and fill the following lines

Code:
RewriteEngine on
RewriteCond %{HTTP_REFERER}!^$
RewriteCond %{HTTP_REFERER}!^http://www.mysite.com/.*$ [NC]
RewriteRule \.(gif|jpg)$ http://www.mysite.com/angry/angryman.gif [R,L]
Unfortunately, I got the error RewriteCond: bad argument line '%{HTTP_REFERER}!^$'

If I comment out that line, it is working properly. What's wrong with me?


Friend DeNayGo, I interest your idea too. But, I have no idea how I should do for the time being.

***I am running apache on winXP.***



Regards,
greeting
 
Old 09-22-2006, 06:00 AM   #5
pankaj99
Member
 
Registered: Mar 2006
Location: India
Distribution: Fedora
Posts: 47

Rep: Reputation: 15
I don't know much about javascript.
correct me if I'm wrong.

what you can do is
1)when a user logs in assign a "session id" to him
so anonymous users do not have a session id.
2)when a user clicks on a link jump to a function
in javascript .
I think in javascript there is something like
"onclick=myfunction()"

3)in the function check if the session id is set
4)if session id is not set give out an error message
else session id is set redirect the logged in user to the file.
 
Old 09-22-2006, 06:28 AM   #6
Proud
Senior Member
 
Registered: Dec 2002
Location: England
Distribution: Used to use Mandrake/Mandriva
Posts: 2,794

Rep: Reputation: 116Reputation: 116
pankaj99, you seem to be misunderstanding a vital part of JavaScript, that it is client-side not server-side. This means you're trusting the browser's user to not just read the script source and find the file's location. Session ids are maintained by the server, and although they may be stored in a cookie or appended to urls in a page, trusting the client's end to check that some passed value is set to some 'allowed' flag is again flawed. The server should decide if it has recieved authentication from the client, and either deliver simply a yes or no page, not one containing the secret information but attempting to hide it or check at the client's end.
 
Old 09-22-2006, 08:39 AM   #7
pankaj99
Member
 
Registered: Mar 2006
Location: India
Distribution: Fedora
Posts: 47

Rep: Reputation: 15
proud,
yes you are correct.
Then maybe the OP can verify the session id using
a server side scripting language like php.
then allow a user to download if it is set else not.
 
Old 09-22-2006, 08:43 AM   #8
Proud
Senior Member
 
Registered: Dec 2002
Location: England
Distribution: Used to use Mandrake/Mandriva
Posts: 2,794

Rep: Reputation: 116Reputation: 116
That would seem to be what DeNayGo concluded too.
 
Old 09-22-2006, 09:19 AM   #9
zero_g
LQ Newbie
 
Registered: Sep 2006
Posts: 6

Rep: Reputation: 0
I was thinking of using the password protection...

http://www.javascriptkit.com/howto/htaccess3.shtml

However, the simplest approach for you is what DeNayGo suggested
since you are using PHP already and have implemented
a session id.

.htaccess is just basic security so you can control access
to files easily without much scripting or having to implement
a session id.
 
Old 09-23-2006, 12:27 AM   #10
greeting
LQ Newbie
 
Registered: Jun 2006
Posts: 17

Original Poster
Rep: Reputation: 0
Question I use .htaccess and php code. Is it secure?

Dear Friends,

I have added the following .htaccess file to my pics directory (Let's assume that nobody knows pics directory ). Even they know (if I keep secret that folder, how they can know?) the hot link, the following lines will prevent hot linking. Right??? (I am not sure. If I make mistake, please point me out.)
Code:
RewriteEngine on
RewriteRule \.(gif|jpg)$ http://www.mysite.com/angry/angryman.gif [R,L]
And I have added the download.php file to home directory. It checks whether guests or logged in user. It use php's readfile() function and read file from the pics directory(secret directory). So, logged in user can download file.

Can I say my secret.jpg is secure, now????????

Further more, I would like to know these:

The following line wants to mean empty referer is allowed? (!^$ means NOT empty)
(*** Apache blame me it is error. I've posted about that case ***)
Code:
RewriteCond %{HTTP_REFERER}!^$

And The following line wants to mean will allow only for http://www.mysite.com?
Code:
RewriteCond %{HTTP_REFERER}!^http://www.mysite.com/.*$ [NC]
Regards,
greeting
 
Old 09-24-2006, 12:02 PM   #11
jiml8
Senior Member
 
Registered: Sep 2003
Posts: 3,171

Rep: Reputation: 115Reputation: 115
It would be more secure if you move your pics directory to a location above the root of your website. Then, visitors from the web cannot get to the directory, but your PHP script can.
 
Old 09-25-2006, 05:48 AM   #12
greeting
LQ Newbie
 
Registered: Jun 2006
Posts: 17

Original Poster
Rep: Reputation: 0
Thank you, Jiml8. I have never thought like that before.
 
Old 09-25-2006, 10:14 AM   #13
slantoflight
Member
 
Registered: Aug 2005
Distribution: Smoothwall
Posts: 283
Blog Entries: 3

Rep: Reputation: 35
This simple bit of html is guaranteed to work.

Code:
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="content-type">
<title>Hot linking is bad!</title>
</head>
<body>
<font size="+3"><span style="font-weight: bold; color: rgb(255, 0, 0);">Anonymous
hot linking is forbidden!!!!</span><br style="font-weight: bold;">
</font><br>
<br>
</body>
</html>
The text is foreboding on its own, but I think its the red text that really locks out thieves.
 
Old 09-26-2006, 01:44 AM   #14
greeting
LQ Newbie
 
Registered: Jun 2006
Posts: 17

Original Poster
Rep: Reputation: 0
Dear slantoflight,

What do you want to mean? I can't catch your idea.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
anonymous users can't upload files-vsftpd dx0r515t Linux - Networking 3 11-21-2012 01:09 AM
PHP Code to check how many users are downloading files. farmerjoe Programming 8 04-01-2005 04:23 PM
files uploaded to anonymous ftp not readable by anonymous TheOneAndOnlySM Linux - Software 2 11-04-2004 08:42 AM
vsftpd won't follow links for anonymous login sebaldus Linux - Software 7 08-22-2004 03:14 AM
Howto stop users creating certain files kinasz Linux - Security 4 05-06-2004 03:13 AM


All times are GMT -5. The time now is 08:06 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration