Results 1 to 10 of 10

Thread: Allow access to images only through my website pages

Hybrid View

  1. #1

    Thread Starter
    Hyperactive Member
    Join Date
    Jun 2005
    Posts
    265

    Allow access to images only through my website pages

    Hi! I have a folder called "myfolder" on my server, it contains images(jpg,jpeg,gif...etc). my website domain is "www.mysitedomain.com". I want to deny direct access to any image inside that folder, but allow any .php or .htm page inside my website to access these images and display them through the tag <img src=''>.

    I used .htaccess file with following:
    Code:
    Order deny,allow
    Deny from all
    Allow from www.mysitedomain.com
    that didn't work. It deny access to all, even my site mysitedomain.com!?
    I need deny access to all except my site mysitedomain.com how can I do that?

    Thanks in advance

  2. #2
    Frenzied Member
    Join Date
    Apr 2009
    Location
    CA, USA
    Posts
    1,516

    Re: Allow access to images only through my website pages

    I use the following:
    Code:
    RewriteEngine on
    RewriteCond &#37;{HTTP_REFERER} !^$
    RewriteCond %{HTTP_REFERER} !^http(s)?://(.*)?google.com [NC]
    RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?mydomain.com [NC]
    RewriteRule \.(jpg|jpeg|png|gif|swf)$ - [NC,F]
    Empty referrers, Google and my own domain are excepted; for all others, return a 403 for any of the file types listed.

  3. #3

    Thread Starter
    Hyperactive Member
    Join Date
    Jun 2005
    Posts
    265

    Re: Allow access to images only through my website pages

    I used it, but even after putting that code inside the .htaccess, still direct access is allowed!

    what I want, not only disallow other websites showing images from that folder. But also, I want to deny direct access to that image. I want only allow (php & html) pages inside my website to display these pictures.

    Example:
    I have folder "myfolder" contain image "myimage.jpg". I have a page called "displaymyimage.php" when visitor open that page it will show the image "myimage.jpg" because it contains the code:
    <img src='./myfolder/myimage.jpg'>

    Now, when visitor want to display image directly by going to the URL:
    mydomain.com/myfolder/myimage.jpg

    I don't want the image to be displayed for him. I hope you got my point

    Thank you very much for your help

  4. #4

    Thread Starter
    Hyperactive Member
    Join Date
    Jun 2005
    Posts
    265

    Re: Allow access to images only through my website pages

    To be more clear. I want to deny direct access to this folder totally. I want only my local (php & html) pages to have the right display these images inside that folder.

    I thought about a solution which is protecting that folder with a Username & Password by using .htaccess ...
    But Its not that secure also, when visitor know the password, then he can access the folder. Also, its not practical to write urls
    username : password@mydomain.com/myfolder/myimage.jpg
    In addition it make php scripts much slower!

    I hope you can help me to find a solution...
    Thank's in advance

  5. #5
    Frenzied Member
    Join Date
    Apr 2009
    Location
    CA, USA
    Posts
    1,516

    Re: Allow access to images only through my website pages

    Sounds like you just need to take out the exception lines and allow only your domain:
    Code:
    RewriteEngine on
    RewriteCond &#37;{HTTP_REFERER} !^http(s)?://(www\.)?mydomain.com [NC]
    RewriteRule \.(jpg|jpeg|png|gif|swf)$ - [NC,F]

  6. #6
    I'm about to be a PowerPoster!
    Join Date
    Jan 2005
    Location
    Everywhere
    Posts
    13,647

    Re: Allow access to images only through my website pages

    Quote Originally Posted by Visual Basic.Net View Post
    I want to deny direct access to any image inside that folder, but allow any .php or .htm page inside my website to access these images and display them through the tag <img src=''>.

    I used .htaccess file with following:
    Code:
    Order deny,allow
    Deny from all
    Allow from www.mysitedomain.com
    that didn't work. It deny access to all, even my site mysitedomain.com!?
    I need deny access to all except my site mysitedomain.com how can I do that?

    There is a fundamental misconception here. Your site does not access the images; the user does. Your webpage tells the user's browser where to look for the images.

    Samba's solution using the Referer (sic; it's misspelt in the spec) header will work if the browser is configured to send this header. Most do out of the box, but can be configured not to, in which case this solution will be ineffective, and will in fact prevent these users from seeing any images on your site.

    An alternative method you could use, if you're quite serious about this, is to generate a unique token which identifies the image and is valid for a single use, and serve this as the src for the image element. When the browser makes a request to some script, giving this token as a parameter, you look up the token in a table which maps the token strings to image paths, serve the corresponding image, and delete the token so that it can't be used again.

    This type of solution is serious overkill for controlling hotlinking, though.

  7. #7

    Thread Starter
    Hyperactive Member
    Join Date
    Jun 2005
    Posts
    265

    Re: Allow access to images only through my website pages

    SambaNeko... Thank you very much bro. your solution worked! now website visitors can access images only through my scripts (.php & .html pages).

    penagate... What u mean exactly... I didn't got it. Thats mean the solution is not practical ... I need a practical solution that works for all visitors of my site. what I want is not avoiding hotlinking. No at all... but I want to protect these images. Only authorized users can see them. Each user is allowed to see a specific image only that related to him. a user can't see other users images. So, I made php script that ask for username & password... if they are correct script will show the image for the user. The URL of the image can be found easily by do right-click -> properties on that image. Thats will lead user to know orther images url... because names are known... I though about making names as combination of random letters and numbers, and store the url for each random string in the database. But still if one of the user know the name of that image... He will be allowed to see them. These images counted as high privacy issue. So I need strongly allow only the one who has the username & password to see only the image he has been allowed to see. I though about storing them into the database. But that will not be practical at all... because of current system specification I dealing with...

    If you have an improvment for the solution of our friend SambaNeko... then please share it with us...

    Thank you very much for your help

  8. #8
    I'm about to be a PowerPoster!
    Join Date
    Jan 2005
    Location
    Everywhere
    Posts
    13,647

    Re: Allow access to images only through my website pages

    Quote Originally Posted by Visual Basic.Net View Post
    what I want is not avoiding hotlinking. No at all... but I want to protect these images. Only authorized users can see them. Each user is allowed to see a specific image only that related to him.
    In that case you need to develop a solution like the access token method which I described.


    Quote Originally Posted by SambaNeko
    If the browser were configured to not send headers, is it treated as an empty referer
    Yes.

  9. #9

    Thread Starter
    Hyperactive Member
    Join Date
    Jun 2005
    Posts
    265

    Re: Allow access to images only through my website pages

    SambaNeko... can you plz explain your code to me?

    what this line means?
    RewriteCond &#37;{HTTP_REFERER} !^$

    why when removed it... direct access disallowed?

  10. #10
    Frenzied Member
    Join Date
    Apr 2009
    Location
    CA, USA
    Posts
    1,516

    Re: Allow access to images only through my website pages

    RewriteCond &#37;{HTTP_REFERER} !^$ adds a condition for the RewriteRule that the referer header must not be empty. If you go to an image directly, then the header will be empty, so this condition fails and the RewriteRule is not effected.

    Most do out of the box, but can be configured not to, in which case this solution will be ineffective, and will in fact prevent these users from seeing any images on your site.
    If the browser were configured to not send headers, is it treated as an empty referer (and falls under the condition above) or something else?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width