Currently using Codeigniter/PHP and IIS 7
I have currently looked at "hotlinking" but that only protects images from being put onto other web sites. It doesn't stop the end user from directly pasting the image URL into the address bar and accessing the image whilst not being logged in.
I am not too sure what the best way is to approach this problem. How can you protect images so that it can only be accessed by logged in users?
Thank you.
Put the images somewhere outside the webroot of the site.
Have a php script that gets the images and displays the images only when logged in.
Best approach would be, if you stop using real url of images on the whole site and always retrieve the images via a php script(controller function) that could help you checking user authentication and other staffs like resize/crop/cache etc as well.
In that case, you can use any url even in root base, which isn't known to outside world at all.
There are perfomance issues in the above answer. You can rename the folder that containing images every hour / day ....
Ex
images/a8s7d5r7w9/33229.png to images/g2j3s3l1p2t/33229.png
Related
I am currently building my website. I have some videos which I want to let
visible only to some specific users after some authentication.I want like videos will be available on website but it should be played only after some process to specific people only.How can I put it?I would be grateful if someone helps me with whole process.Thanks in advance!!
There are some ways to do it. First you need to make pages which play video safe by adding some authentication requirement to them and in addition you need to secure your video file safe from direct accessing.
I can say if you use PHP you may create some virtual files which points to real file location and make them safe as you need. In PHP you can create some virtual files to deliver video files by adding appropriate header.
Refer to this page for more information:
Using php to output an mp4 video
I have a web app that lets users store files which contain sensitive information.
So far I've written code so that if they which to view their files, they go through view.php?id=xx and a check is done through a database to confirm that they are allowed to look at said file. As an example, John uploads "information.pdf" to the folder "uploads" which is found at "www.mysite.com/uploads", so the file's exact path would be "http://www.mysite.com/uploads/information.pdf", and in the database this same file has an id of , say, 2, so he would get to it via view.php?id=2.
Question
How do I stop anyone from just going to the exact path and looking at his sensitive file?
What I've done
Written the code to only allow access to files if users go through my website, not directly.
I have looked at the recommended questions for the same title, however have had no luck.
Any help would be greatly appreciated.
Don't put it in a publicly accessible path like http://www.mysite.com/uploads/. Put it outside htdocs and only allow access through your view.php
If you want to give download facility to the owner just create adownload.php that checks permission same way as view.php but instead of viewing it lets the user to download.
I am currently trying to develop an image uploading website by using CodeIgniter.
The thing is, I came across an issue today and I would really appreciate any kind of help in order to solve it.
So basically, the site is working. But the thing is, that the files are not private. A user may want to ensure that the files the users upload are only visible by them, and not by someone who just guesses a bunch of urls. (eg. user1 uploads image1 which he wants to keep private, for himself =>[localhostlocalhost/upload_script/files/image1.jpg], user2 can access image1 by guessing and typing the url [localhost/upload_script/files/image1.jpg] which is what we don't want to happen. )
I have done some research and I think that this would probably require another controller for serving the files (which checks for session data).
I have been "playing" with sessions etc in PHP for quite some time in the past, but I am not that familiar with them in CodeIgniter.
Is this the only way? I don't think I need to create separate directories for each user, do I? Can you please tell me how to head to the right direction or give me an example?
Thanks in advance,
harris21
In order to protect files, you will need keep them outside of your web root, otherwise people will always be able to url hack their way round.
I have used the very handy mod_xsendfile for apache (if you have that kind of access to your server) which will allow you to serve files that can be protected by access control and not accessed without the appropriate credentials.
Code snippet that you could put in your CI controller to display an image (adapted from the mod_xsendfile page):
...
if ($user->isLoggedIn())
{
header("X-Sendfile: $path_to_somefile");
header('Content-Type: image/jpeg');
exit;
}
If you cannot install mod_xsendfile then your only other option would be to use readfile() as TheShiftExchange says.
Use PHP to return images and lock the image directory behind the webserver root. This way, before serving an image you can check the user credentials via session variable, assuring that he is allowed to view the image. Otherwise you can redirect the user straight back to the website alerting him he does not have access. Serving images like this is way slower than just serving them via webserver (apache, nginx,...) but it will enable you to have control over the downloading of the images.
To be more exact, save the image details in a database, for example having columns: id, file_path, title, uid. Everytime a user wants to download an image for example calling http://domain.com/files/download/3 you can check if image with id 3 can be downloaded for the currently logged in user. You need to write your own controller that will be doing that.
I am doing a similar thing here http://www.mediabox.si/ you can check how images are served. I am allowing thumbnail images and I am watermarking larger images visible to ordinary visitors.
The ONLY way is to store the images outside the public_html. Otherwise by definition you are opening the file to direct access.
Use a controller to check if the user is allowed to access the file and the php function readfile() to serve the file
You can read some code at one of my other questions here: Does this PHP function protect against file transversal?
And this is actually VERY fast - you won't notice a performance hit at all
How can I know when an image (generated with PHP) is called from my website or from another one?
I have tried with
if(eregi("mydomain.com", $_SERVER[SERVER_NAME])
but seem return always true even if
<img src='..linktofilephptogeneratetheimage..' >
is located on anther server
Thanks
You'll want to use $_SERVER['HTTP_REFERER'] to get the page that refers to the image. Then match this path against the domain you're expecting the image to be accessed from (your own site).
If it's acceptable, then serve the image; if not, then echo a dummy image or something else.
Note: This variable can be manually edited by some web clients, but if you're simply trying to avoid people using your site to serve images on other pages, it should be reliable enough.
I need to redirect the url which is accessing the site images to the appropriate contents section of the site for example . the image test.jpg is used in the section http://www.mysite.com/article1 and my image path is domain/images/test.jpg if any user browse the image directly by this url domain/images/test.jpg . i would like to redirect to the article section.
What you are trying to do is kind of working against the principles of the web. A web browser loads that image of yours the same way if someone reads the article as it does when somebody accesses the image "directly".
If you only want to disable access to browsing your image collection, i.e. the directory listing of the images, that's fine and you can easily disable that in your web server.
However -- and I think that's what you are trying to do -- if you try to find out the difference how somebody accesses an image, either while reading "article1" or by loading it "directly", then things get complicated. You could use some kludges like setting cookies in the article and that you check for when loading the image... But it is probably more trouble than it's worth.