Security isses

[Kirby]

Scenario:

I've got a category which only members of a specific usergroup (paid subscription) can access.
Now their subscription expired, they don't have access to the category any more.
But what if they did copy the direct URLs to the images?

Then they can still access them.

Question: How can I prevent anyone from viewing the images who does not have permission to do so? The is a must have for me.

Any ideas?

I'm thinking an .htaccess file would probably be the best way. If you can give me until this afternoon I'll dig something up for you.

[KW802]

Kirby,

Do you mean a direct URL to the actual image name itself or a URL to the gallery index page? If you mean to the actual image name I don't think there is too much that can be done about it because the files are being stored on disk instead of in the DB.

[Kirby]

Don't hurry, it's not that urgent.
Currently I am just playing around on my testserver.

I thought about mod_auth_cookie combined with a perl authentication handler could do the trick, but that sounds like a real PITA

[KW802]

Quote:

Originally Posted by Brian

I'm thinking an .htaccess file would probably be the best way. If you can give me until this afternoon I'll dig something up for you.

But would that work based upon VB permissions?

If "yes" then I'm curious about this one also.

[Kirby]

Quote:

Originally Posted by KW802

Kirby,

Do you mean a direct URL to the actual image name itself

Yep.

As I need this for adult content I must make sure that nobody who does not have permission can access the files.

There are ways to do this without storing the files in database, but it's complicated ...

[KW802]

Quote:

Originally Posted by Kirby

Yep.

As I need this for adult content I must make sure that nobody who does not have permission can access the files.

There are ways to do this without storing the files in database, but it's complicated ...

If you'd don't mind I'd love to see the solution if/when it's found that you guys come up with. That would be a pretty nice 'widget' to have to in the misc. code toolbag for future use.

There would be a few ways to protect them. One simple method would be to store the files below your root directory, but then we run into the problem of having to process too much just to show some thumbnails. Something like that may be worth it for some users, but I wouldn't think it would be for most.

[Zachery]

What about storing the thumbs above the root and not storing the real soruce below the root?

Thought about that... Just still exploring the options to see what might work better for those who need more security.

[Zachery]

Bad part about htaccess is it only works in apache that leaves our IIS users alone out there

[StewardManscat]

Begin Two cents;

htaccess referrer protection is easy to implement and works great. Google for it or consult the photopost site.

But the support issues will kill you. Many adults saw ZoneAlarm et. al. selling them "privacy and security and safety" so they snapped it up. Now their browsers are not sending referrers in the headers, and the adults haven't got a clue how to configure their privacy to make an exception for your site.

Or, scan your weblogs every once in a while and start using htaccess to block the unknowns. Or... this is a subject that thrives in adult webmaster forums.

Don't let it bog down gallery development. Keep the coding at vb strength: solid php code is the best defense.

Never show direct urls. I haven't seen the gallery do that yet, but I'm still just getting wet. If a body is going to gig through the html to pull out the url, you have a genuine and determined thief on your hands. It's outside the scope of this software.

End two cents;

[oldengine]

Quote:

Originally Posted by StewardManscat

Never show direct urls.

Simply "right click" and choose "properties" and you have the photo URL.

No right click? View Source and dig it out.

Can't view source?

<tools><internet options><settings><view files> and grab what you want.

Fact is, you can't stop this problem without really getting into heavy software control. Then it does become a P.I.T.A.