Daniel Yaÿfffffffffff1ez wrote:
Ok so I will use a dirty example since maybe this will be more clear. Lets asume that I cannot put images outside the root of my domain for the purposes that you explain. that only leaves me the option of using normal folders (ex. www.domain.com/images) to put my images in. Lets say Im running an ADULT website, where users have to pay to register, and then login to get access to the private pages. I am using php and sessions to verify that indeed the user exists in my database and that he is a valid user. Everything is perfect here. I then forward the user to a secure page. This secure verifies the existance of a valid session, and if so, then displays the content. If the session is not valid then it will redirect the user to another page asking him to login or whatever. This secure page contains a gallery of a beautifull girl. A gallery with pictures only registered members are allowed to see. one of the pictures has a url for example www.domain.com/images/kellyNaked.jpg. The registered user that is allowed to see that picture, can save the picture, print the screen, download it etc. I have no control over that I know. But my problem is that he shouldnt be able to send the link to a friend. nobody should be able to just type: www.domain.com/images/kellyNaked.jpg and have the image opened. Otherwise, why pay??? if a user figures out the folder structure then he could easily find the other pictures.Now, all this about using a folder outside the root for private pictures was initially suggested because other people said they actually place fils outside the root that they wanted to be private and only be served by a page inside the server. Maybe this technique works only for code files (.php etc). Or at least thats what everyone in this newsletter is telling me. So then, my question was, how to deliver images (or other media files) that are supposed to be only accessible to registered users from a folder inside my root, without having the risk of people just linking to them directly. there is no way to prevent this obviously with any kind of php script, or java or anything. This has to be done by something (and I assumed it was apache) in the server. I was almost ready to start using .htaccess but then on the official apache website: http://httpd.apache.org/docs/1.3/howto/htaccess.html they suggest not using an .htaccess file because it slow down theserver plus it is insecure.My question to you guys now is different, what are the reccomended ways to have a secure folder in my website that will only deliver its content to users when it is requested by a script inside my serer? if it really has nothing to do with apache, then Im sorry, but I think it is a combination of a server language like php and apache...maybe Im wrong, but I would like any suggestions opinions you guys might have.Thanks again, and sorry for so many questions, I hope I can get the answers to my questions or at least better ideas of where to look at.Cheers !!
---------------- End original message. ---------------------Please stop top-posting, it is rude and makes reading the replies in order a pain in the ass.
Now I think you are making some assumptions here that are wrong. You've got some of the ideas correct but you aren't putting them all together properly.
First, .htaccess is not the only access control scheme that has an impact on server performance. Any sort of authentication, whether done by Apache, a third-party module, or your script is going to impact server performance. The thing is that this is the price you have to pay to restrict access. The big hit with .htaccess is when it is used at multiple levels within a file tree. Each time an .htaccess file appears in the tree, it has to be accessed and verified by the server.
Second, .htaccess in and of itself is not necessarily insecure. How you use it and exactly where your .htaccess files live have a large bearing on just how secure your system will be. This is not a simple topic by any means. Nor does this touch on user passwords being weak and all sorts of other problems which are not unique to this scheme.
Third, putting the image files outside the server root prevents them from being served by Apache directly, this really is what you want to achieve. However, this means that something else has to serve them for Apache and this is generally done via some sort of script file that checks the authentication and then sends the requested image file. Apache can't serve anything it does not know how to get to and putting the files outside of the server root structure will prevent Apache from finding those files.
There are open source applications that do exactly what you want, the files get served by the scripts and are not directly accessible via the web URL space. Do a little searching and you can find examples of this sort of script.
So in summary, Apache by itself cannot do what you want. You have to do some scripting or install an application somebody else wrote that will do it.
Dragon ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Venimus, Saltavimus, Bibimus (et naribus canium capti sumus) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|