On Jan 4, 2008 1:30 PM, tedd <tedd.sperling@xxxxxxxxx> wrote:
> At 1:08 PM -0500 1/4/08, Daniel Brown wrote:
> >On Jan 4, 2008 12:58 PM, tedd <tedd.sperling@xxxxxxxxx> wrote:
> > > Now, how can I stop that from happening?
> >
> > You could do link expirations with an auto-generated URL to mask
> >the actual location, or could even create a dynamic symlink or copy on
> >the server itself. Have it expire and regenerate a new link every 15
> >minutes.
>
> ???
>
> You lost me at "You could do.."
>
> You have an example?
Not really, but I do have theory in explanation:
1.) Links are generated to the videos based on a cron that runs
every 15 minutes. The links can either be generated for
each individual, or can be generated for the server as a whole.
While the former is more secure, the latter is much more prudent
and takes far less resources. Chances are, a global re-address
should suffice.
2.) The generated links are stored in a database, and are called
when a page loads. See the postscript for one possible point
of interest related to this.
3.) The user clicks the generated link, which is a mask to the actual
file. The user does not see the actual file, however, as this
is where Rob's idea of flushing the file through the buffer comes
into play. The file is `read` through the buffer to the client.
ALTERNATIVE 1:
The cron can create symlinks on the server to the original files
to be used either under the user's directory (to which they, and
only they, have access), or done globally.
ALTERNATIVE 2:
Physically copy the files into the user directory, and have them
renamed or removed from the directory on a schedule. This will
allow you to halt access should the files be hotlinked. Conversely,
you can do what I've done over the years: when you detect that
someone is displaying an image on their page that resides on your
server, eating your bandwidth, you replace it with something
undesirable.
For example, I had a wannabe tough-guy on MySpace displaying
a graphic from one of my sites (militaria) on his profile. It was a
rather large graphic that was sucking down about 50MB per day.
I replaced it with a cute graphic announcing how much he
enjoyed Pokemon, and the linking stopped within about 48 hours.
So there are plenty of viable methods.... choosing which works
best in your situation is the key.
P.S. - In Step 2, keep in mind that, if a page is loaded and a
link not clicked prior to the next run of the cron (and subsequent
generation of links for the client to receive), the links will cause
404 errors. One solution would be to maintain a key in the database,
with one or two rows of previously-generated links. This will allow a
minimum of 16 minutes (on two rows) to a maximum of 44 minutes (on
three rows). The $_SESSION['key'] (or ?key=xxxx) variable is looked
up in the database when the link is clicked, and PHP determines how to
translate the link. If it's not found, the session has been active
and idle for too long, and times out. This is another recommended
layer of security for any user area, of course, because there should
be no Good Reason[tm] that anyone would be staring blankly at a page
for 44 minutes. If they simply forgot about the session, then they
can suffer the consequences and take the 30 seconds (or less) required
to log in again.
--
Daniel P. Brown
[Phone Numbers Go Here!]
[They're Hidden From View!]
If at first you don't succeed, stick to what you know best so that you
can make enough money to pay someone else to do it for you.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
