homepage Welcome to WebmasterWorld Guest from 54.204.141.129
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

    
Using htaccess to deny image file paths
htaccess image file path
cranfan




msg:4384960
 5:44 pm on Nov 8, 2011 (gmt 0)

Hi,

I am close to launching a photography site and want to give some protection to a few images that are stored in a dedicated folder. I have so far used htaccess to prevent hot linking and caching.

I would also like to prevent access to the images by the user entering the file path. The only way I have found to do this (as part of the hot linking exercise) is to deny access to blank referrers which I donít want to do.

Is there an alternative approach, perhaps by giving permission to the html pages that display the images but denying other access?

Appreciate any suggestions. Thanks.

 

wilderness




msg:4384967
 6:09 pm on Nov 8, 2011 (gmt 0)

Is there an alternative approach


scripts and/or session ID's.

lucy24




msg:4385065
 10:16 pm on Nov 8, 2011 (gmt 0)

Is there an alternative approach, perhaps by giving permission to the html pages that display the images but denying other access?

That's what you're already doing in your hotlink-blocking routine. But you're right that denying all null referers will exclude some legitimate human visitors. And then you have to start making exceptions for the ever-growing list of google translation and allied services that, again, involve perfectly legitimate humans.

But how are they getting into the file path in the first place? If you've got auto-indexing turned off-- which you should do by default anyway-- they'd get hit with a 403 before they ever see the files. In fact that's what 403 means to an ordinary human: not "Go away you evil robot" but simply "This directory doesn't have an index".

cranfan




msg:4385191
 8:55 am on Nov 9, 2011 (gmt 0)

Thanks Wilderness and Lucy for your responses.

I do have indexes turned off but the problem as I see it is that anyone can see your source code and determine the file path to an image from there. As it happens, I am delivering the images via javascript but this file could be called up in the same way the image can be.

Admittedly not many users would be motivated to do this but I would like to prevent it if possible either denying the path to the image or to the javascript file, whilst allowing the html page to continue displaying the images.

lucy24




msg:4385382
 10:54 pm on Nov 9, 2011 (gmt 0)

If the pictures are important and you really need to exclude people who enter the exact filename "cold" (as opposed to prowling about the directories), you may have to lock out some innocent users. It's one of those icky trade-offs.

Apache itself can't distinguish between where the user actually is-- that is, on your page or just sitting in front of a blank monitor-- and what they did to get to a picture. To your htaccess file, there's no difference between blatant hotlinking and "click to see full-size image". And there's no difference between the various kinds of null referer.

It can mean at least three different things: The user entered the filename directly (or via a bookmark). The user's browser and/or IP doesn't send referers. The user deliberately configured their browser not to send referers. If you lock out groups 1 and 3, you're also locking out group 2.

You can set cookies that tell you whether the user really is on the page that's requesting the image. But then you have to deal with the various reasons for people turning off cookies. Some sites put up a little message saying "To use this page, you must have cookies enabled in your browser." Usually they say it before even trying to write a cookie, which makes no sense to me.

And then you have to run two different hotlink routines: one for the bona fide hotlinkers, another for the people who might be unuspecting victims of their IP, or using a public terminal where they can't change the settings. You don't want to scream NO HOTLINKS in green-on-magenta (that's what mine does ;)) at people who aren't doing anything wrong.

It is probably impossible to keep people from downloading an image that they arrived at legitimately. You can only make it more hard or less hard. But at least they've seen it in context once.

cranfan




msg:4386817
 6:01 pm on Nov 14, 2011 (gmt 0)

Lucy thanks.

As you say:

You can only make it more hard or less hard

I have probably done enough. I've managed to avoid cookies so far but thanks for the suggestion.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved