Howto forbid anonymous users from downloading files from hot links
Hello, friends!
I would like to forbid anonymous users from downloading files from hot links (e.g; http://www.mysite.com/pics/secret.jpg). But, I would like to allow logged in users to download that files from hot links. I am using Apache Web Server, PHP and mySQL. Regards, greeting :study: |
One way would be to put the pictures in a folder that can't be accessed from outside, and use a PHP script, like http://www.mysite.com/pic.php/secret.jpg, to load them. Then, that script can always check if the user is logged in.
|
Try htaccess
|
.htaccess gives error for %{HTTP_REFERER}!^$
Hello, zero_g!
I refered to the following site http://www.javascriptkit.com/howto/htaccess10.shtml and fill the following lines Code:
RewriteEngine on If I comment out that line, it is working properly. What's wrong with me? Friend DeNayGo, I interest your idea too. But, I have no idea how I should do for the time being. :D ***I am running apache on winXP.*** Regards, greeting :study: |
I don't know much about javascript.
correct me if I'm wrong. what you can do is 1)when a user logs in assign a "session id" to him so anonymous users do not have a session id. 2)when a user clicks on a link jump to a function in javascript . I think in javascript there is something like "onclick=myfunction()" 3)in the function check if the session id is set 4)if session id is not set give out an error message else session id is set redirect the logged in user to the file. |
pankaj99, you seem to be misunderstanding a vital part of JavaScript, that it is client-side not server-side. This means you're trusting the browser's user to not just read the script source and find the file's location. Session ids are maintained by the server, and although they may be stored in a cookie or appended to urls in a page, trusting the client's end to check that some passed value is set to some 'allowed' flag is again flawed. The server should decide if it has recieved authentication from the client, and either deliver simply a yes or no page, not one containing the secret information but attempting to hide it or check at the client's end.
|
proud,
yes you are correct. Then maybe the OP can verify the session id using a server side scripting language like php. then allow a user to download if it is set else not. |
That would seem to be what DeNayGo concluded too. :)
|
I was thinking of using the password protection...
http://www.javascriptkit.com/howto/htaccess3.shtml However, the simplest approach for you is what DeNayGo suggested since you are using PHP already and have implemented a session id. .htaccess is just basic security so you can control access to files easily without much scripting or having to implement a session id. |
I use .htaccess and php code. Is it secure?
Dear Friends,
I have added the following .htaccess file to my pics directory (Let's assume that nobody knows pics directory :D). Even they know (if I keep secret that folder, how they can know?) the hot link, the following lines will prevent hot linking. Right??? (I am not sure. If I make mistake, please point me out.) Code:
RewriteEngine on Can I say my secret.jpg is secure, now???????? Further more, I would like to know these: The following line wants to mean empty referer is allowed? (!^$ means NOT empty) (*** Apache blame me it is error. I've posted about that case ***) Code:
RewriteCond %{HTTP_REFERER}!^$ And The following line wants to mean will allow only for http://www.mysite.com? Code:
RewriteCond %{HTTP_REFERER}!^http://www.mysite.com/.*$ [NC] greeting :study: |
It would be more secure if you move your pics directory to a location above the root of your website. Then, visitors from the web cannot get to the directory, but your PHP script can.
|
Thank you, Jiml8. I have never thought like that before. :)
|
This simple bit of html is guaranteed to work.
Code:
<html> |
Dear slantoflight,
What do you want to mean? I can't catch your idea. :) |
All times are GMT -5. The time now is 12:13 PM. |