-
Feb 5th, 2012, 06:18 AM
#1
Thread Starter
Hyperactive Member
Allow access to images only through my website pages
Hi! I have a folder called "myfolder" on my server, it contains images(jpg,jpeg,gif...etc). my website domain is "www.mysitedomain.com". I want to deny direct access to any image inside that folder, but allow any .php or .htm page inside my website to access these images and display them through the tag <img src=''>.
I used .htaccess file with following:
Code:
Order deny,allow
Deny from all
Allow from www.mysitedomain.com
that didn't work. It deny access to all, even my site mysitedomain.com!?
I need deny access to all except my site mysitedomain.com how can I do that?
Thanks in advance
-
Feb 5th, 2012, 02:04 PM
#2
Re: Allow access to images only through my website pages
I use the following:
Code:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(.*)?google.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?mydomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif|swf)$ - [NC,F]
Empty referrers, Google and my own domain are excepted; for all others, return a 403 for any of the file types listed.
-
Feb 5th, 2012, 03:00 PM
#3
Thread Starter
Hyperactive Member
Re: Allow access to images only through my website pages
I used it, but even after putting that code inside the .htaccess, still direct access is allowed!
what I want, not only disallow other websites showing images from that folder. But also, I want to deny direct access to that image. I want only allow (php & html) pages inside my website to display these pictures.
Example:
I have folder "myfolder" contain image "myimage.jpg". I have a page called "displaymyimage.php" when visitor open that page it will show the image "myimage.jpg" because it contains the code:
<img src='./myfolder/myimage.jpg'>
Now, when visitor want to display image directly by going to the URL:
mydomain.com/myfolder/myimage.jpg
I don't want the image to be displayed for him. I hope you got my point
Thank you very much for your help
-
Feb 5th, 2012, 03:07 PM
#4
Thread Starter
Hyperactive Member
Re: Allow access to images only through my website pages
To be more clear. I want to deny direct access to this folder totally. I want only my local (php & html) pages to have the right display these images inside that folder.
I thought about a solution which is protecting that folder with a Username & Password by using .htaccess ...
But Its not that secure also, when visitor know the password, then he can access the folder. Also, its not practical to write urls
username : password@mydomain.com/myfolder/myimage.jpg
In addition it make php scripts much slower!
I hope you can help me to find a solution...
Thank's in advance
-
Feb 6th, 2012, 12:04 PM
#5
Re: Allow access to images only through my website pages
Sounds like you just need to take out the exception lines and allow only your domain:
Code:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?mydomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif|swf)$ - [NC,F]
-
Feb 6th, 2012, 07:57 PM
#6
Re: Allow access to images only through my website pages
Originally Posted by Visual Basic.Net
I want to deny direct access to any image inside that folder, but allow any .php or .htm page inside my website to access these images and display them through the tag <img src=''>.
I used .htaccess file with following:
Code:
Order deny,allow
Deny from all
Allow from www.mysitedomain.com
that didn't work. It deny access to all, even my site mysitedomain.com!?
I need deny access to all except my site mysitedomain.com how can I do that?
There is a fundamental misconception here. Your site does not access the images; the user does. Your webpage tells the user's browser where to look for the images.
Samba's solution using the Referer (sic; it's misspelt in the spec) header will work if the browser is configured to send this header. Most do out of the box, but can be configured not to, in which case this solution will be ineffective, and will in fact prevent these users from seeing any images on your site.
An alternative method you could use, if you're quite serious about this, is to generate a unique token which identifies the image and is valid for a single use, and serve this as the src for the image element. When the browser makes a request to some script, giving this token as a parameter, you look up the token in a table which maps the token strings to image paths, serve the corresponding image, and delete the token so that it can't be used again.
This type of solution is serious overkill for controlling hotlinking, though.
-
Feb 7th, 2012, 08:38 AM
#7
Thread Starter
Hyperactive Member
Re: Allow access to images only through my website pages
SambaNeko... Thank you very much bro. your solution worked! now website visitors can access images only through my scripts (.php & .html pages).
penagate... What u mean exactly... I didn't got it. Thats mean the solution is not practical ... I need a practical solution that works for all visitors of my site. what I want is not avoiding hotlinking. No at all... but I want to protect these images. Only authorized users can see them. Each user is allowed to see a specific image only that related to him. a user can't see other users images. So, I made php script that ask for username & password... if they are correct script will show the image for the user. The URL of the image can be found easily by do right-click -> properties on that image. Thats will lead user to know orther images url... because names are known... I though about making names as combination of random letters and numbers, and store the url for each random string in the database. But still if one of the user know the name of that image... He will be allowed to see them. These images counted as high privacy issue. So I need strongly allow only the one who has the username & password to see only the image he has been allowed to see. I though about storing them into the database. But that will not be practical at all... because of current system specification I dealing with...
If you have an improvment for the solution of our friend SambaNeko... then please share it with us...
Thank you very much for your help
-
Feb 7th, 2012, 06:16 PM
#8
Re: Allow access to images only through my website pages
Originally Posted by Visual Basic.Net
what I want is not avoiding hotlinking. No at all... but I want to protect these images. Only authorized users can see them. Each user is allowed to see a specific image only that related to him.
In that case you need to develop a solution like the access token method which I described.
Originally Posted by SambaNeko
If the browser were configured to not send headers, is it treated as an empty referer
Yes.
-
Feb 7th, 2012, 08:41 AM
#9
Thread Starter
Hyperactive Member
Re: Allow access to images only through my website pages
SambaNeko... can you plz explain your code to me?
what this line means?
RewriteCond %{HTTP_REFERER} !^$
why when removed it... direct access disallowed?
-
Feb 7th, 2012, 12:04 PM
#10
Re: Allow access to images only through my website pages
RewriteCond %{HTTP_REFERER} !^$ adds a condition for the RewriteRule that the referer header must not be empty. If you go to an image directly, then the header will be empty, so this condition fails and the RewriteRule is not effected.
Most do out of the box, but can be configured not to, in which case this solution will be ineffective, and will in fact prevent these users from seeing any images on your site.
If the browser were configured to not send headers, is it treated as an empty referer (and falls under the condition above) or something else?
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|