I have several programs linked and hosted on my server. I need to protect the URLs from being stolen and placed on other sites because they'll use my bandwidth.
How can I do that in PHP?
Should I just check referrer or do something else?
If you have the binary files on your server, and someone gets the address, you can't use PHP to prevent them from downloading them. You want to protect them at the web server level. Assuming you're using Apache, looking to doing this with custom .htaccess directives.
This question, involving the direct download of MP4 videos, may point you in the right directions:
Disable hot linking or direct download of my videos and only stream the video when it's displayed from a page in my website
If you don't want them downloaded/stolen, then don't put them on your site.
On the plus side, if they are stolen, then your bandwidth will only get used once. Checking referer is easiest to do, and also easiest to bypass/subvert.
If you're concerned that your server is only hosting the files but users who download it don't see where it comes from, you can do the following:
check for the referrer. This can be fooled, however, if you're concerned about links from forums etc., this is an option.
Basically you're checking if the HTTP referer header is set and matches your site's pattern. If not, you could block the traffic, however, if you actually want to offer downloads, I would not block the user.
Instead you can display a download facade-page with your site design and offering the download then. With some session logic, you can allow users to download files.
This can be done to build a much better hotlinking checker than based on http headers as well.
Related
Locally, I have developed a music site by means of a WordPress theme, and it's running well. The problem is that once the media file is streaming in the browser, Internet Download Manager(IDM) detects it and generates the download link (That's the nature of IDM) .
So, I want to build my site such that visitors will be able to play and listen to the music, but they are not allowed to download the streaming media by any downloader.
Is there any PHP code, WordPress or jQuery plugin to do this?
Thanks in advance.
If you allow visitors to listen to a file, there is no way to prevent them from downloading it. Even DRM is broken if they are determined enough. If they can play it, they can save it.
That said, you have several options.
Use Flash to stream the file.
It is still pretty easy to download unless the file is embedded in the SWF or uses DRM. This is a common solution, and works well unless you need to support mobile browsers without Flash support.
Only allow one download per IP address.
This has major usability problems and will not work in many browsers. I don't recommend it.
Send the file encrypted and decrypt with Javascript.
Could be very slow, still doesn't stop determined users, depends on Javascript, requires either dataurl support or newer html5 audio apis.
Don't worry about it.
This is what I do.
As an example, lets say I'm working with a product that requires I put <iframe>s onto my page, which then get embedded into my existing website.
The issue being my website is SSL, and the iframe comes from another origin which is not SSL.
I'm not worried about javascript here as the other origin cannot access the DOM due to same-origin, but my huge concern here is that annoying "mixed content" error in IE that pops up, or the broken lock in other browsers, etc. If a user doesn't know to click "no," they don't get the content-- which is critical to the website.
What I want to do instead is provide a way to take this content and scoop it into my own script so it sends to the browser from my domain with my SSL certificate, for all resources it links to (ie, recursively parse the file and send the resources as my own). I realize this could open a huge hole because it's now coming from my origin.
What recommended approach should I take to get third party content to land on my site? Right now the content I'm pulling is the base HTML file, the CSS, and 9 images, all of which are dynamic. This is simmilar to a proxy I suppose.
What I want to do instead is provide a way to take this content and scoop it into my own script so it sends to the browser from my domain with my SSL certificate, for all resources it links to (ie, recursively parse the file and send the resources as my own). I realize this could open a huge hole because it's now coming from my origin.
Get a separate domain (mydomain.com -> thirdpartyname.mydomain-proxy.com) to serve as an HTTPS proxy for third-party content. That way they cannot run JavaScript in the same origin as your website.
Alternatively: Pressure them to adopt HTTPS. It's fast and it's free.
I have a file that is being linked to from other sub websites.
The file: http://site.com/file.img
Website A linking to it <img src="http://site.com/file.img"></img>
website B linking to it <img src="http://site.com/file.img"></img>
I need to reliably identify which of these websites has accessed the file, but I know that $_SERVER['HTTP_REFERER'] can be spoofed. What other ways do I have to reliably confirm the requester site? By IP, get them to register an IP? not sure. setup an API key? What options are there?
If a website is only linking to a file, the "website" itself will never actually access your image. Instead, the client who's viewing the site will make a request for the image.
As such, you're depending on information sent by the client, which is completely out of your control and not reliable at all. If you have the opportunity to set some sort of unique cookie on the client, you may be able to use this in some fashion for extended identification, but even that won't be reliable.
There is no 100% reliable solution.
Getting the referrer is the best you can do without getting into complicated territory.
If you don't mind complicated, then read on: set up your Web server to serve file.img only to Website A and Website B, then require that Website A and Website B set up a proxy configuration on their end that will retrieve file.img on behalf of their visitors.
Example:
A visitor to Website A loads a page that contains an image tag like <img src="http://websiteA.com/file.img"/> (note reference to Website A rather than your site). Client requests file.img from WebsiteA.com accordingly. Website A is configured to proxy requests for the path /file.img to your server, http://site.com/file.img. Your site verifies that it is in fact Website A that is requesting the image and then serves it to Website A's proxy. Website A then serves it to the visitor.
Basically, that makes it a pain for Websites A and B, gives you a performance hit, and also requires further configuration on your part. But I imagine that would satisfy your requirement.
Have a look at how OpenID relying is implemented, it allows one site to authenticate against another. The protocol specification will give a hint at the effort and overhead required to reliably implement such a scheme.
http://googlecode.blogspot.com/2010/11/googles-sample-openid-relying-party.html
Is it possible to create a download link for a file on another site and change the file name? Can it be done without proxying it through my server? I'd like to achieve it without any additional bandwidth cost if possible.
EDIT:
Just an idea but can it be achieved with a flash downloader of sorts?
You could fake it using a header redirect header("Location:http://....."); but the download process will probably show the real URL nevertheless - will depend on the client.
There is the Content-Location header but according to this blog post, it is used to specify an alternative location for the same content about to be received here, which makes it useless as a redirection tool.
The only other way I know is indeed through proxying.
I have a demo server where I put samples of my apps, I send potential customers links to those apps. Is it possible to use htaccess to track visitors, without adding tracking capability to the apps themselves? The data I'm interested in are:
date and time of page visit
ip of visitor
url of the page visited
referrer
post and get (query string) data if any
That entirely depends on your webserver, what options it provides for htaccess overrides.
For Apache, the access log logs what you are looking for
http://httpd.apache.org/docs/current/logs.html#accesslog
but is not configurable via htaccess.
no, that's impossible to use .htaccess file, because it's merely a configuration file, not executable one.
However you can use another web-server capability - log files.
Everything you asking for is already stored in the access log, almost in the same format you listed here.
An important note: unlike google analytics or any other third-party or scripting solution, web-server logs is the only reliable and exact source of tracking data, contains very request been made to your site.
Best way it to use google analytics.
You will get all what you need and much much more.
I know this thread has been quiet for a while, but i it not possible to use the prepend?? directive that prepends a script to all visits to track site/page visits ?
I have not got the code (tried something similarthough was not successfull) but I used the prepend directive to prepend a script that "switches" on gzip for all site visits. I am sure the same can be implemented for logs (for those of us with cheap shared servers!) Come on coders, do us all a favour and reveal the secret!