Forum Moderators: phranque
IndexIgnore */*
To stop people seeing what’s in the directory but it is still pretty easy for them to work out the path etc so do I?
RewriteEngine On
RewriteCond %{HTTP_REFERER}!^www.my-site.com/thispage.php* [NC]
RewriteCond %{HTTP_REFERER}!^www.my-site.com/anotherpage.php* [NC]
RewriteCond %{HTTP_REFERER}!^www.my-site.com/thatpage.php* [NC]
RewriteRule ^(.*)$ [my-site.com...] [R,L]
Or do I?
<LIMIT GET>
order deny, allow
deny from all
allow from .my-site.com/thispage.php*
allow from .my-site.com/anotherpage.php*
allow from .my-site.com/thatpage.php*
</LIMIT>
or is htaccess not the way to go and should I move my data outside my web space and do the session ID and cookie validating thingy?
Thanking you in advance
westend
RewriteEngine On
RewriteCond %{HTTP_REFERER}!^http://www.my-site.com/thispage.php.*$ [NC]
RewriteCond %{HTTP_REFERER}!^http://www.my-site.com/anotherpage.php.*$ [NC]
RewriteCond %{HTTP_REFERER}!^http://www.my-site.com/thatpage.php.*$ [NC]
RewriteRule ^.*mp3$ [my-site.com...] [NC,R,L]
An image or media link won't redirect, so you might as well use a simple 403-Forbidden response. In addition, many media players won't provide any referer, so you'll have to allow blank referers, as provided for in the additional (first) RewriteCond. I escaped your referrer path, and removed the superfluous "*" at the end -- which would have allowed zero or more "p" characters after ".ph", but is not needed anyway.
RewriteEngine On
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !^www.my-site\.com/thispage\.php [NC]
RewriteCond %{HTTP_REFERER} !^www.my-site\.com/anotherpage\.php [NC]
RewriteCond %{HTTP_REFERER} !^www.my-site\.com/thatpage\.php [NC]
RewriteRule .* - [F]
A cookies-based approach, where you set a cookie on /thispage\.php, /anotherpage\.php, or /thatpage\.php, and then check it in mod_rewrite (or in a "media-serving" script) would be a much better solution for access control.
Jim
IndexIgnore */*
<Files "*.wav">
order deny,allow
deny from all
</Files>
to stop people grabbing the waves(one user took 250Mb) untill I can write the cookie bassed access control.
Do you know of any good sites for tutorials on the subject?
Thanks
westend
2) I don't know of any tutorials. But the two steps are: Set a cookie on your "authorized" pages. Then check it when access to a media file is requested, and deny access if the cookie is missing, invalid, or outdated. There are many ways to do it, depending on your programming methods of choice.
If you find a good tutorial on an authoritative, non-commercial site, you can post it here.
Jim
or is htaccess not the way to go and should I move my data outside my web space and do the session ID and cookie validating thingy?
Using PHP and session IDs is the best solution and you can move the files outside your web space. Here's an example solution that uses the visitors IP address for the session ID. You could use anything you like for the session.
Put the following code at the top of your pages that contain the download links.
<?
session_start();
$_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
?>
Save the following code as download.php in each of the directories that contain download links.
<?
$path = "/home/customer/downloads/";
$remote = $_SERVER['REMOTE_ADDR'];
$file = $_REQUEST['download'];
session_start();
if ($_SESSION['ip'] == $remote) {
header("Content-Length: ".filesize($path . $file));
header("Content-Type: application/force-download");
header("Content-Disposition: attachment; filename = $file");
readfile ($path . $file);
} else {
header('Location: [domain.tld');...]
exit;
}
?>
The download links would be in the following format.
<a href="download.php?download=file.mp3">
When someone visits the download pages they are assigned a session ID.
When a user tries to download a file it checks for a valid session and then allows the user to download files. If there's no valid session the user would be redirected to your home page.
westend
