Forum Moderators: phranque
I've scanned the posts for image blocking, but most seem to relate to hotlinking. I'm building a site that contains real estate listings; the photos associated with each property are to be kept private, except for logged-in users who exceed a certain access level. When these users view a listing detail page, PHP will write the image to the page; for users without that level of access, nothing is written.
But I was thinking that if someone got their hands on the URL for a given image, they could type it in directly and view it that way. If the URL simply points to an image file, I can't perform any checks in PHP.
Can mod_rewrite help me in differentiating between requests for an image that come from within an HTML page, and requests that come directly?
Thanks.
The first thing to do is to use mod_rewrite on your images similiar to below,
from -> example.com/photos/type/house.jpg
to -> example.com/photos/type/house/jpg
Now block direct access to the images otherwise they could just link directly to the file, (I hope these are correct)
RewriteCond %{THE_REQUEST} ^(GET¦HEAD)\ /content.*$
RewriteRule ^.*$ - [F]
So now a person can't link directly to the file on your webserver. Now you have to figure out how to stop them from linking to your new link.
You could use mod_rewrite and php to change the virtual file path by month, day, hour, or a combination of the three. For example, when your page is generated in php the path looks like this,
example.com/2/photos/type/house/jpg
Then use mod_rewrite to get TIME_WDAY (2 for tuesday lets say) from the server. If the days match 2 and 2, then serve the image, if not, then send an error. This of course leads to the problem with caching and rollover at midnight.
The basic idea is that your virtual file path changes, whether it be hourly, daily or monthly.
Just be sure to exclude these files in robots.txt or the search engines could be full of 404 links from your site.
Thanks for your help -- like Bon Jovi says, we're halfway there. Let me be a little more specific about what I'm looking for.
All I'm testing for right now is that an HTML page with an embedded image tag will display the image, but a direct call to that image will display a "get lost" image instead. Here's a modification of your code:
RewriteCond %{THE_REQUEST} ^(GET¦HEAD)\ /listings/pics/([0-9]+)\.(jpg¦jpeg) [NC]
RewriteRule ^listings/pics/([0-9]+)\.(jpg¦jpeg)$ /img/no_auth.png [L]
I wasn't sure why I would have needed to change (using your example here) /house.jpg into /house/jpg, so I skipped that. The above code does indeed show the "get lost" image instead of the real image -- but it does so for both embedded and direct links.
I'm wondering now what the specific difference is between THE_REQUEST values for embedded and direct requests. I can't find documentation anywhere that explains possible values for THE_REQUEST.
Also -- I'm curious about your mention of robots.txt. What is that?
Thanks again.
None at all. THE_REQUEST is the local URL-path taken from the request sent by the browser.
Try a search [webmasterworld.com] here for "hotlinking", "RewriteCond HTTP_REFERER" and "referrer-based access control" for a lot more information. If your need to block access is serious, and nothing less than 100% effectiveness will do, then look into a a cookies-and-script solution, since HTTP referrers are optional, thus making referrer-based access control only a "most of the time" thing.
Jim
