Howto forbid anonymous users from downloading files from hot links
ProgrammingThis forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Howto forbid anonymous users from downloading files from hot links
Hello, friends!
I would like to forbid anonymous users from downloading files from hot links (e.g; http://www.mysite.com/pics/secret.jpg). But, I would like to allow logged in users to download that files from hot links.
One way would be to put the pictures in a folder that can't be accessed from outside, and use a PHP script, like http://www.mysite.com/pic.php/secret.jpg, to load them. Then, that script can always check if the user is logged in.
I don't know much about javascript.
correct me if I'm wrong.
what you can do is
1)when a user logs in assign a "session id" to him
so anonymous users do not have a session id.
2)when a user clicks on a link jump to a function
in javascript .
I think in javascript there is something like
"onclick=myfunction()"
3)in the function check if the session id is set
4)if session id is not set give out an error message
else session id is set redirect the logged in user to the file.
pankaj99, you seem to be misunderstanding a vital part of JavaScript, that it is client-side not server-side. This means you're trusting the browser's user to not just read the script source and find the file's location. Session ids are maintained by the server, and although they may be stored in a cookie or appended to urls in a page, trusting the client's end to check that some passed value is set to some 'allowed' flag is again flawed. The server should decide if it has recieved authentication from the client, and either deliver simply a yes or no page, not one containing the secret information but attempting to hide it or check at the client's end.
proud,
yes you are correct.
Then maybe the OP can verify the session id using
a server side scripting language like php.
then allow a user to download if it is set else not.
I have added the following .htaccess file to my pics directory (Let's assume that nobody knows pics directory ). Even they know (if I keep secret that folder, how they can know?) the hot link, the following lines will prevent hot linking. Right??? (I am not sure. If I make mistake, please point me out.)
Code:
RewriteEngine on
RewriteRule \.(gif|jpg)$ http://www.mysite.com/angry/angryman.gif [R,L]
And I have added the download.php file to home directory. It checks whether guests or logged in user. It use php's readfile() function and read file from the pics directory(secret directory). So, logged in user can download file.
Can I say my secret.jpg is secure, now????????
Further more, I would like to know these:
The following line wants to mean empty referer is allowed? (!^$ means NOT empty)
(*** Apache blame me it is error. I've posted about that case ***)
It would be more secure if you move your pics directory to a location above the root of your website. Then, visitors from the web cannot get to the directory, but your PHP script can.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.