Forum Moderators: phranque
A site I'm working on is for school kids to see how well they're doing in e.g. Math. They read questions, on any they are unsure of, they can click to another page to watch a short flash movie, or do sums, or another activity which would clarify the point for them.
In order to access the content, they need to be logged in, and the requests for the images and movies come from
http://www.mysite.com/admin/tasks.php?question_id=33&action=video_show&video_url=puzzle.swf
The true URI of the flash movie is:
http://www.mysite.com/content/video/puzzle.swf
I want to prevent access to the /content/video/ directory except for the /admin/tasks.php page.
This is what I've got so far:
RewriteEngine On
Options +FollowSymLinks
RewriteBase /content/video/
RewriteCond %{REQUEST_URI}!^/admin/tasks.php [NC]
RewriteRule ^(.+\.(jpg¦png¦gif¦swf¦wmv¦mov))$ /content/errors/protected-image.php [L]
This code is overly restrictive, and I can't access it from the /admin/tasks.php page.
Any ideas? Thanks, Nick.
What you want is very much like softgoods downloading on ecommerce site.
Put the images in a PRIVATE directory not accessible via HTTP
Provide the images via a server side script that displays the image only if the user is logged in.
incrediBILL: I appreciate the advice to locate the files above the document root.
Surely there is a way to get the .htaccess file to match.
Effectively the behaviour I want is
"If it isn't /admin/tasks.php requesting the image, then deny image files by routing to a custom 403."
Should I be using $REQUEST_URI, or $HTTP_REFERER? (Referer should be set, as the tasks.php reloads itself, and embeds the flash movie content).
Thanks, Nick.
ErrorDocument 403 /content/errors/content-403.php
RewriteCond %{HTTP_REFERER} ^$ [OR]
RewriteCond %{HTTP_REFERER}!^/admin/tasks.php.*$ [NC]
RewriteCond %{HTTP_REFERER}!^http://(www\.)?mysite\.com/admin/tasks\.php [NC]
RewriteCond %{REQUEST_URI}!^/admin/tasks\.php$ [NC]
RewriteCond %{REQUEST_URI}!^http://(www\.)?mysite\.com/admin/tasks\.php$ [NC]
RewriteRule \.(avi¦swf¦wmv¦mov)$ - [F,NC]
If there's a more elegant way to achieve this, then I'd be pleased to hear it, but this may help someone else out.
Thanks for the suggestions.
* unless you're using an OS which isn't case-sensitive for the filesystem (windows, for instance) the [NC] flags to your RewriteCond's are not needed when the argument doesn't contain a hostname
* why does your second RewriteCond end in "php.*"?
* why does your third RewriteCond not have a '$' at the end of the string?
* You could combine a couple of your rules; this:
RewriteCond %{HTTP_REFERER}!^/admin/tasks.php.*$ [NC]
RewriteCond %{HTTP_REFERER}!^http://(www\.)?mysite\.com/admin/tasks\.php [NC]
RewriteCond %{HTTP_REFERER}!^(http://(www\.)?mysite.com)?/admin/tasks\.php [NC]
As long as you don't expect this to stop a determined person, you're fine. And by 'determined' I mean "knows the right (single!) command to issue from a unix command line" =)
