ansaurus

Question

Do not allow hot-linking of images unless logged in

Answer 1

+2 A:

It's probably a web application that uses a session cookie for authentication and redirects if the session has not been authenticated.

Pretty much any web framework has plugins for this sort of thing. There might even be apache modules to do it, but I haven't seen one.

BaroqueBobcat 2009-07-16 01:11:51

Answer 2

+3 A:

All requests go through the web server. If a site sets a cookie, then all your requests to that site will include the cookie contents until that cookie expires or is removed. It doesn't matter what you're requesting it only matters where you are requesting it from.

If you have firebug open up the 'Net' tab when you're on this site and check all the requests you have made. You'll see in the request headers a 'Cookie' line. This will be on every resource requested: the images, the stylesheets, everything.

If Apache is the web server then it could use mod_rewrite to direct your request or it could pass it to PHP or Perl or something else that can check the cookie and output the image if valid or redirect if not.

Here is a php example (image output taken from php.net):

if(valid_auth($_COOKIE['auth'])) {

    // open the file in a binary mode
    $name = './img/ok.png';
    $fp = fopen($name, 'rb');

    // send the right headers
    header("Content-Type: image/png");
    header("Content-Length: " . filesize($name));

    // dump the picture and stop the script
    fpassthru($fp);
    exit;

} else {

    header('Location: /login');
    exit;
}

rojoca 2009-07-16 01:35:07

Answer 3

A:

However, the above is a direct request for a resource that is just a jpg. There has to be some communication then with Apache, and their database to see the state of that request. How would merely loading a url, send off a cookie value to apache that could then pass it off to a database?

Every single http request is sent to a web server. The web server will then decide how to handle the request, based on a set of rules. By default, Apache has a simple handler that just sends the requested file back to the user. There is however no reason why you couldn't configure Apache to handle all requests with a php-script. On a high traffic site, you would probably solve this differently, since it's a bit expensive to fire up php for each and every image to show, but in theory you could just make a mod_rewrite rule that pipes all requests matching a particular pattern (Such as ^girls/Cyn/sets/getImage/.*) to a php-script. This script would then read the actual file from somewhere outside the web root and print it out to the user.

troelskn 2009-07-16 01:41:01

Answer 4

A:

You must create a "getter" for the images. The images must be stored in a folder outside of the public accessible directories.

/public_html
    /js
        jquery.js
    index.php
    getimage.php

/private_images/
    myimage.jpg

Note that private_images directory is not accessible when you: http://www.mysite.com/private_images

Now, to create the "getter" script.

/* This is getimage.php */
if(!isset($_SESSION['is_logged_in'])) {
    header('Location: /login');
    exit;
}

/*
Get the image_name from the URL
You will be using something like: http://mysite.com?image_name=flowers.jpg
This is the way to get the image.
*/
$path = "/var/www/html/private_images"
$name = $path.'/'.$_GET['image_name']; 
$fp = fopen($name, 'rb');

// send the right headers
header("Content-Type: image/jpg");
header("Content-Length: " . filesize($name));

// dump the picture and stop the script
fpassthru($fp);
exit;

If you missed the comment above, you can do this to retrieve the image:

http://mysite.com?image_name=flowers.jpg

wenbert 2009-07-16 03:54:34

ansaurus

tags:

views:

answers:

Do not allow hot-linking of images unless logged in

related questions