.htaccess + PHP, without password prompt

woranl · 11-25-2004, 10:22 PM

Hi

I've a website, in which one folder stores images. I don't want my visitors to download my images by inserting the image's path into the browser's location bar. (They can only access to those images from my website.)

This is what I want:

Visitor --> PHP --> Image

and NOT

Visitor --> Image

The image folder can only be access through a server side PHP script

I'm able to protect my image folder using .htaccess.
What do I need to do, so that the PHP script will login to my image folder automatically whenever the script is called without popping up a window asking me for username + password?

Is it possible (if so, how) to include my login+password in the header... so, whenever I call an image from PHP code, PHP will use that login info to access the required image. By doing this, one must go through my script in order to access the image; thus, blocking hotlinking or direct displaying
(This may not be a perfect idea)

Thanks in advance

sigsegv · 11-26-2004, 03:49 AM

What you're describing can't be done without a good deal of needless work. The most practical thing would be to use Apache's mod_rewrite:

Code:

RewriteEngine    On
RewriteCond      %{HTTP_REFERER}      !www\.yourdomain\.com
RewriteRule      /images/.*           - [F]

woranl · 11-26-2004, 08:01 AM

sigsegv,

I copy your code to my .htaccess file and when I try to access images from the protect folder (calling from a php page on my webserver), it's giving me a 403 Forbidden error.

I've already checked that the mod_rewrite module is loaded.

Can you explain what those 3 lines of code mean ?

The code you gave me can avoid the images from direct displaying?

Cedrik · 11-26-2004, 10:07 AM

If you can use flash plugin, you could make a sort of flash applet that load images
dynamically. The suggestion from sigsegv requires editing the httpd.conf which may
be not available to you if you use a web hosting provider.

woranl · 11-26-2004, 12:17 PM

in my case, flash won' t help. . . because my site is near to the end of development, I just need to protect the directory, and that's it. . . I don't have the time for flash anymore

regarding to hosting, that's not a problem.. because we have our own webserver running apache 2

How do I protect my folder? I can't get .htaccess + mod_rewrite to work

sigsegv · 11-26-2004, 01:04 PM

Quote:

If you can use flash plugin, you could make a sort of flash applet that load images
dynamically. The suggestion from sigsegv requires editing the httpd.conf which may
be not available to you if you use a web hosting provider.

Flash? Yuk.

And no, RewriteRules don't require httpd.conf access. That's why the fine folks at Apache have the .htaccess file ...

As for what the directives do:

Code:

# Turn on the rewrite engine
RewriteEngine    On
# If the HTTP_REFERER doesn't contain "(www.)?yourdomain.com" (case insensitive)
RewriteCond      %{HTTP_REFERER}      !^http://(www\.)?yourdomain\.com  [NC]
# throw a 403 on /images/*
RewriteRule      /images/.*        - [F]

So, if a user tries to come get your images directly (which will cause the HTTP_REFERER to not be set), the server will 403 on them.

This will slow down most people, but there's no way to stop someone from getting the images if they really want them, short of not having them on the server.