I'm working on an application where I have a web interface for a screen on my wall, and the goal is to allow my friends to upload images to it.
Right now I have a basic web interface with a login, which authenticates a session and has a page which allows uploading an image and changing some of the parameters of the screen. The parameters are stored in a MySQL database, as well as the login details. This part I've heavily based off the approach detailed in this link:
https://phppot.com/php/secure-remember-me-for-login-using-php-session-and-cookies/
Ideally I can allow my friends to upload images to this screen in a secure way that is as simple as possible. What I am imagining is a unique URL link that can be sent to them, which takes them to a page where they can upload an image but do not have access to change any of the screen parameters and so on. This URL would allow anyone who has it to upload pictures, but I want the owner of the screen to also be able to deactivate the URL if it is no longer secure. The owner could ideally generate a number of URLs that they could share with different people, which would all upload to the same screen.
My question is firstly, is this a good approach and is there a way to do this securely (without opening access to the screen parameters and so on)? I would prefer to avoid giving these "guest" users login details, as that is one more account to remember and reduces the simplicity of uploading to the screen.
My next question would be how to do it? My current idea is to have a new database with columns for the screen ID (to allow it to work when I have multiple screens) and link URL. The screen owner would generate some kind of random string as the URL and save it to the database. The "guest" upload page would only allow uploads if the redirected URL is found in the database. Right now I'm looking at affiliate link examples to get ideas on how to implement this, but if anyone has better suggestions of what to search for or other examples it would help a lot.
I'm very new to web development so I'm not sure if I'm describing my approach clear enough or if my goal even makes sense. I'm also very uncertain of any possible security issues I may be introducing with this approach, so anyone has suggestions or possible pitfalls please let me know. I don't know how much I don't know.
You can use Tokens :
generating tokens with php
You generate an URL with the token inside then send it to your friends:
www.myULR/token
After, you create a table token with all tokens with a jointure with user's id,
and you should easily verify with PHP, if tokens exist and user is not an impostor, allow him to upload files.
Related
I have to build an application where users can download videos from a site but cannot share them. My first solution is to save these files in a hidden location on the users computer since one of the requirements is that the user should be able to watch the downloaded videos offline.
Please how do I go about saving a file in a location the user cannot see using php.
Thanks.
One solution is to generate token for each request for a video. That token would have its lifetime. Php script should be serving the content instead of giving direct access to resource to user. The script should check if the token is still active before serving the content.
It is up to you how to pass the token. The simplest way is to make it contained in uri.
No matter where you put your videos in your directory structure, you always send the data as a partial request. Once data is acquired by the user, it could be saved an reproduced.
There are techniques, however, to protect your video from direct download through curl, wget or other ways of download. And this is using a secure token and an expiration, passed as parameters. This way your video download window will be limited and generating the token manually would be pretty hard.
Chidiebere Onwunyirigbo, its a Great Question. One solution for your requirement is Steganography. It is the process of concealing your data (videos) behind other files (multimedia files like image, audio, video), in your case preferable would be Image Steganography. It is quite a old technology but new to many, you can get several ready tools/code for it on the internet which you can customize as per your need. From your side you have to provide the file that is already embedded inside the image for download. Only the tool coded for retrieval and rendering the hidden video can render your video. So, for this part all the users of your site have to first download this desktop application from your site for viewing the video. This will keep your videos safe on the users computer offline, because every user who takes the video will require the reverse steganography tool to be downloaded from your site. You can even embed secret info like users IP inside the Stego image along with the video and for each tool download, associate user computer's IP with the tool. If IP embedded inside Stego image matches with that of tool only then you allow to play else redirect application to get it registered. But the limitation would be that, the users will have to download your application and will be able to view videos only on your desktop application which will render the Steganographed video.
You cannot hide information on the user computer. Even if your process are running on a windows comp as SYSTEM user, a power user can take ownership of the files.
The only solution you have, are developing or using a known DRM system, for allowing only playing the video on a determined computer or another specifications (for example, if the program have the authentication token of some user).
At any case, you need to do two things for this:
- You need a custom application to play the video, if you want to check DRM.
- You need to recode / modify something on the video before download, for adding on them a code for allow only play on the destination computer or data used for authenticating DRM.
I want to create a Facebook Application where the user can upload an image to my server. I would be glad if you can tell me if this is possible, if there are any restrictions, and what would be the best way to do it.
I would code the application with PHP.
Thanks in advance!
I dont think there is some restriction about that on Facebook .Not sure,you might have to check out
http://developers.facebook.com/policy/
Also Best way would be to store images in Users album on Facebook using extended permissions ,instead of your server so it seems legitimate to both users and Facebook.
Though don't know what type of facebook application you are creating where you need to store images on server but it will not be a problem till you follow their privacy policy and terms.
And may be this app is something you might want to check ,its in beta and may be on same idea , and from that you can be sure
http://usepipe.com
I'm designing a simple web app for some elderly family members, 1 of whom has Alzheimer's. The end goal is to provide them each with a tablet (probably Android but irrelevant for this problem) that would be stripped down to ideally 1 bookmark on the home screen which opens my web app.
What I am looking for are ideas on how to identify the user without the conventional username/password methods. With their condition I know that remembering an username is going to be almost impossible, let alone a password. Ideally I would recognize the device and relate that to a specific user.
There will be other users on the app that access it through normal methods (username+password on PC/mobile/tablet), which I'm handling with Zend_Auth. It's just these 2 users who I am concerned about identifying.
Security isn't a huge concern as the data will not be sensitive in any way, but I still need to differentiate between users.
I am building this in php with Zend Framework. I'm really looking for more ideas than specific code, although anything based in php or javascript would be great. Any ideas or suggestions would be greatly appreciated. Thanks for your help
These advice are only valuable if security is not an issue :
On the bookmarks page, insert a token in the link, which you will use to authenticate the users.
if you can, check in the background for IP/user agent (if there is only one device that needs this simplified auth process, and assuming it's connection uses a fixed IP address)
And a simple idea if you have multiple users using the same device :
on your bookmark page, put a picture of each user
make it clickable, with the token discussed above in the href of the link.
That's simple to implement and easy to remember.
Hope that helps !
On a actual project (dating site) i have the following scenario:
Member can upload photos (main profile) and create albums and assign photos to it. Now the member can choose only to allow registered members, premium members or members in his favorites to access the album.
The easiest solution is to hide the album, but if someone who has access post the src url to the photo it would be accessible to everyone who has the url.
I see flickr and facebook secure them in a good way, but how i can implement that without to need to query many times the DB and replicate the user auth/session. The photos will be stored on a own server (varnish/nginx).
Has anyone a idea how this can be done in mind of high traffic and to use less resources as possible?
The solutions needs to can handle the actual 20m members and around 30m photos.
Well, one possibility would be to run something like Lighttpd's mod_secdownload.
Basically you set a "secret" string in the configuration section. Then when you generate the links, instead of making a link to the resource, it's a temporal link (so it's only valid for $x number of seconds). That way the user needs to visit the page again (and hence pass access control again) before being allowed to view that image...
Apache has a similar module: mod_auth_token...
The best solution is to store the image outside the web accessible part of your server. Then, instead of referencing the photo directly, you would reference a php page pointing to the image as so:
http://www.example.com/image.php?imageid=1234567
Then in your php script, you can check if the logged in user has access to the photo, and if so, you stream the image out to the user in the response.
As an idea...
You could create a mapping table where you "prepare" the access permissions for pairs user->photo based on favorites, friends etc.
Then you return the images based on these permissions but cached per user. This will lower the stress on your servers but there will be some delay in applying restrictions due to cache timeouts.
Here's the deal:
-Flair pretty much demands a Facebook app
-I'm working on learning the Facebook platform
Therefore, I've written a dinky little Facebook app to embed your Flair into a box on the side of your profile. If you're interested and on Facebook; beware that this is very much a work in progress, prone to change and has a whole bunch of rough edges.
However, I don't have an elegant way to say "this is MY Stackoverflow profile" from this dinky app. My current solution is best demonstrated this image. It is, frankly, idiotic; and there's nothing preventing impersonation.
Having no experience with OpenID, I'm wondering if there's some way (and some example of this way, please) to get a user to provide their Stackoverflow identify to a third party?
Behavior changed to that suggested by Noldorin's answer.
Request for a saner way to do this declined on UserVoice.
There's no way to get a StackOverflow ID from OpenID and to do the opposite would be possible but unnecessarily complicated (compared to your suggested method). Copying and pasting the user ID/profile URL isn't terribly inconvenient, in my mind.
However, I can suggest some sort of solution to the issue of impersonation. This may seem like a slightly silly method, but it's the simplest way of which I can think to insure that only the user themself can display the badge. Again, I don't think it's too inconvenient. (The more traditional method of using an email confirmation isn't possible, given that emails aren't public.)
Have your Facebook app generate a random (alphanumeric?) code. Something in the form A8IO45QW6T should do.
Hold this code on the server side of your Facebook app for a short time period (say, 5 minutes).
Instruct the user to edit their About Me information by adding the given code to the last line, then to return to the Facebook and confirm. Simple inspection of HTML for the profile page of the specified user would verify ownership. The user can then remove the verification code from their About Me text.
Nice idea creating this Facebook app, by the way. I may just give it a try!
Another solution that would allow for instant verification is hashing the email address and checking to see if it matches the user's Gravatar. Granted, not every user has provided an email address, but you can always perform this check first and if it fails you can fall back to the About Me section editing (or simply require that the user have an email address). This idea is not mine, so I'll let null explain:
Do you still have the source available? As I've gotten a solution to prevent other users from messing up your results. You just need to hash the email address used by the viewer and check for the gravatar image link on the page as outlined on the gravatar site. If the user id and image hash match, then record the change to the database, otherwise... just show results. I can make that change, but the source seems lost... :(