Welcome to WebmasterWorld Guest from 23.22.19.253

Forum Moderators: Ocean10000 & incrediBILL & phranque

Message Too Old, No Replies

Deny direct path but not from html

   
8:07 pm on Feb 2, 2009 (gmt 0)

5+ Year Member



I suspect this is impossible, but I am going to ask anyway.

I have a directory with pictures which are called from a webpage (normal <img>-tag), but I don't want people to look at the source of my page and then type in the direct path to these images.
In other words, I want direct access to these images to be impossible, but still be able to show them on my page.

Can this be done with htaccess?

Thanks

8:29 pm on Feb 2, 2009 (gmt 0)

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Yes.

Create an htaccess within the image folder, ONLY allowing access from your own websites pages.

Jim gave an example of this some time ago (and has not lingered on since). I failed to bookmark the thread and have been unable to locate it.

11:15 pm on Feb 2, 2009 (gmt 0)

5+ Year Member



Hi,

you mean using something like:

RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mysite\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule .*\.(jpe?g¦gif¦bmp¦png)$ /images/nohotlink.jpe [L]

I came across a few scripts like that, but they all fail to work. I guess because either:

1) typing www.your-domain.com/gallery/pictures/picture.jpg acts as access from own site, or:
2) HTTP_REFERER is blocked (by a firewall or something)

12:28 am on Feb 3, 2009 (gmt 0)

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Here's the thread I was looking
[webmasterworld.com...]
2:15 am on Feb 3, 2009 (gmt 0)

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member



That thread only applies to cases where a script is used to "include" objects.

In order to prevent direct image access, you need to use an image-serving script that checks for a cookie set by the page that is "authorized" to display the image, or you need to play games with dynamically changing the image URLs, and then using .htaccess or a script to "reconnect" the frequently-changed URLs with the actual file location on your server.

Be advised, however, that once someone sees your image on their screen, they can copy it -- either using "Save image as" in the browser, or simply by taking a screenshot.

Jim

10:54 am on Feb 3, 2009 (gmt 0)

5+ Year Member



Hi jdMorgan,

How would one initiate a script that checks for a cookie during direct access? I only have a little more than basic knowledge of apache.

As for copying the image on-screen, I already have a watermark-script in place to prevent that.

Just to give you an idea what I need, I currently display images so:

<img id="bigpicture" src="image.php?main=gallery/full/01.jpg&amp;watermark=gallery/watermark.png" />

[edited by: Bert36 at 10:59 am (utc) on Feb. 3, 2009]

3:47 pm on Feb 3, 2009 (gmt 0)

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member



So you have already "initiated a script" by pointing <img src> requests to your watermarking script.

You could add the cookie-checking to your watermark script. If your watermark script is an off-the-shelf solution and subject to frequent revisions/upgrades, or if you don't want to modify it for any other reason, then you could "wrap" that script inside another one. Your <img src> references on your pages should then call the wrapper script instead of the watermarking script. The wrapper script would then call the cookie-checker script and the watermark script in turn, and as appropriate.

Coding the scripts themselves is well outside the scope of this forum, but we do have scripting forums here... :)

Jim

3:53 pm on Feb 3, 2009 (gmt 0)

5+ Year Member



Thanks,

I feel confident enough to be able to write such a script. But something is not clear to me. How would this prevent people from looking at a picture when they type in a direct link? By typing the direct link, no script (cookie-checking or otherwise) would be called...or am I missing something?

4:05 pm on Feb 3, 2009 (gmt 0)

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member



You will have to rename the image files (or perhaps just their shared directory if they are so organized) so that old "direct links" are no longer valid. You could redirect these old links to your script, to the html page that includes them, or simply let them go 404-Not Found if that's not feasible.

Jim

4:17 pm on Feb 3, 2009 (gmt 0)

5+ Year Member



ah... ofcourse.

Silly how one can sometimes miss the obvious.

Thanks a lot!