SitePoint Sponsor

User Tag List

Results 1 to 4 of 4
  1. #1
    SitePoint Member
    Join Date
    Nov 2008
    Posts
    2
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Preventing type-in access to URL

    Hello to all.
    This is my issue: I created several directories with pictures in one domain.
    In another domain i created links pointing to my pictureīs folders.
    I want to only allow access to those folders if the person comes from the links i mentioned. I donīt want type-in access to those folders.
    I tried some hotlink protection with .htaccess, but they donīt protect from type-in.
    Any suggestions? Thanks a lot guys.

  2. #2
    SitePoint Wizard
    Join Date
    Dec 2003
    Location
    USA
    Posts
    2,582
    Mentioned
    29 Post(s)
    Tagged
    0 Thread(s)
    You could do a couple things:

    1) Remove the permissions from those images and directories for "guest", then use a PHP script to include the image instead (you'd have to load and output the image with PHP functions, not an img tag)

    2) Change the extension of the images to something non-standard extensions and then have PHP properly translate them.

    If you want to prevent index listing (like, if they just type www.mysite.com/images and it displays a list of all the images), just put an index file in the folder. The index folder can do anything from telling them they aren't allowed here, to redirecting them to where you want them, etc.

  3. #3
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2008
    Posts
    5,757
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    There's two ways to do hotlink protection. Both methods use the REFERER http header.

    1) If the referer header is present, and it doesn't contain the correct domain, deny the request.
    2) If the referer header is missing, or it doesn't contain the correct domain, deny the request.

    You must have tried method 1. This is the most popular because the refer header is an optional header that browsers aren't required to send. Some users disable thier browser from sending the referer header for security/privacy reasons. Some installed software also disables it. This is why you generally want to allow the request if the referer header is not present, otherwise you completely block some legitimate users. But browsers won't send a referer header if the address is typed in, which is your problem.

    You could go with method 2, and just live with some users(disabled referer header) not being able to use your website properly.


    You could alternatively implement some type of cross domain session. Basically, when they're on the page which contains the links, that domain creates a random access token which it appends to the urls of the links. This token is stored in a database which is accessible to both domains. The domain hosting the images would serve the images using a script like php, which receives the token and checks the database. The database could contain a limit to how many times this token will grant the image to be viewed, or maybe allow it to work for a certain time limit, or both etc...The script denys the request if a valid token is not supplied in the url, and maybe serves an error message image informing the user the link has expired etc...

  4. #4
    SitePoint Member
    Join Date
    Nov 2008
    Posts
    2
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thank you guys.
    I understand crmalibu theory. Too bad i´m not a php programmer. Do you think there is a script or something i could use to do that?


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •