Daniel Yaÿfffffffffff1ez wrote:
Ok so I will use a dirty example since maybe
this will be more clear. Lets asume that I
cannot put images outside the root of my domain
for the purposes that you explain. that only
leaves me the option of using normal folders
(ex. www.domain.com/images) to put my images in.
Lets say Im running an ADULT website, where
users have to pay to register, and then login to
get access to the private pages. I am using php
and sessions to verify that indeed the user
exists in my database and that he is a valid
user. Everything is perfect here. I then forward
the user to a secure page. This secure verifies
the existance of a valid session, and if so,
then displays the content. If the session is not
valid then it will redirect the user to another
page asking him to login or whatever. This
secure page contains a gallery of a beautifull
girl. A gallery with pictures only registered
members are allowed to see. one of the pictures has a url for example
www.domain.com/images/kellyNaked.jpg. The
registered user that is allowed to see that
picture, can save the picture, print the
screen, download it etc. I have no control over
that I know. But my problem is that he shouldnt
be able to send the link to a friend. nobody
should be able to just type:
www.domain.com/images/kellyNaked.jpg and have
the image opened. Otherwise, why pay??? if a
user figures out the folder structure then he
could easily find the other pictures.
Now, all this about using a folder outside the
root for private pictures was initially
suggested because other people said they
actually place fils outside the root that they
wanted to be private and only be served by a
page inside the server. Maybe this technique
works only for code files (.php etc). Or at
least thats what everyone in this newsletter is
telling me. So then, my question was, how to
deliver images (or other media files) that are
supposed to be only accessible to registered
users from a folder inside my root, without
having the risk of people just linking to them
directly. there is no way to prevent this
obviously with any kind of php script, or java
or anything. This has to be done by something
(and I assumed it was apache) in the server. I
was almost ready to start using .htaccess but
then on the official apache website:
http://httpd.apache.org/docs/1.3/howto/htaccess.html
they suggest not using an .htaccess file because it slow down the
server plus it is insecure.
My question to you guys now is different, what
are the reccomended ways to have a secure folder
in my website that will only deliver its content
to users when it is requested by a script inside
my serer? if it really has nothing to do with
apache, then Im sorry, but I think it is a
combination of a server language like php and
apache...maybe Im wrong, but I would like any
suggestions opinions you guys might have.
Thanks again, and sorry for so many questions, I
hope I can get the answers to my questions or at
least better ideas of where to look at.
Cheers !!
---------------- End original message. ---------------------
Please stop top-posting, it is rude and makes
reading the replies in order a pain in the ass.
Now I think you are making some assumptions here
that are wrong. You've got some of the ideas
correct but you aren't putting them all together properly.
First, .htaccess is not the only access control
scheme that has an impact on server performance.
Any sort of authentication, whether done by
Apache, a third-party module, or your script is
going to impact server performance. The thing is
that this is the price you have to pay to
restrict access. The big hit with .htaccess is
when it is used at multiple levels within a file
tree. Each time an .htaccess file appears in the
tree, it has to be accessed and verified by the server.
Second, .htaccess in and of itself is not
necessarily insecure. How you use it and exactly
where your .htaccess files live have a large
bearing on just how secure your system will be.
This is not a simple topic by any means. Nor does
this touch on user passwords being weak and all
sorts of other problems which are not unique to this scheme.
Third, putting the image files outside the server
root prevents them from being served by Apache
directly, this really is what you want to
achieve. However, this means that something else
has to serve them for Apache and this is
generally done via some sort of script file that
checks the authentication and then sends the
requested image file. Apache can't serve anything
it does not know how to get to and putting the
files outside of the server root structure will
prevent Apache from finding those files.
There are open source applications that do
exactly what you want, the files get served by
the scripts and are not directly accessible via
the web URL space. Do a little searching and you
can find examples of this sort of script.
So in summary, Apache by itself cannot do what
you want. You have to do some scripting or
install an application somebody else wrote that will do it.
Dragon
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Venimus, Saltavimus, Bibimus (et naribus canium capti sumus)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
