PhotoPost Photo Sharing Photo Gallery    Visualize community tm
| | | |

Go Back   PhotoPost Community > General Forums > General Discussion

General Discussion General use discussion forum for PhotoPost products.

Thread Tools Rate Thread Display Modes
Old September 1st, 2004, 11:50 AM   #1
Join Date: Oct 2003
Location: uk
Posts: 61
Lightbulb Movies & htaccess

If like me you use PhotoPost for movies as well as images, this thread may be of interest to you.

I have been on a mission to find out how I can protect the movie files in my community from unauthorised access. "HTACCESS" I hear you shout. Ah yes, but it's not as simple as that. So I will share my findings with you here.

Slipping an htaccess file into your data directory to protect the IMAGE files within, from hotlinking, leeching etc is very straight forward, but it does not work with movies. Here's why.....

..... If you use a standard htaccess file in your data directory to block all unauthorised access to your image files, it will block all unauthorised access to your movies too. Great! BUT, it will also block all authorised access to your movies as well, so your members will not be able to watch or download the movies. This is because when you click on a movie file it will launch the appropriate media player for that file type. Unlike a web browser, media players do not pass referrer information that the htaccess is looking for, therefore, you will receive an error message telling you that the file is not there, and you will be unable to play it. Access will also be denied if you right click on the file and choose "Save target as...". This means that your members can not access your movies at all.

Example of a standard htaccess file used in the scenario above;
Content visible to verified customers only.
To enable your members to be to watch and download the movies while protecting all your files from hot linkers, you need to add an extra rewrite condition to allow direct browser access. Adding
Content visible to verified customers only.
to your htaccess file right below the "RewriteEngine on" line, will enable your members to access the movie files to download them or play them in a media player.

The problem is, direct browser access allows anyone to enter a URL to a file hosted on your site in their browser and view it with a media player, regardless of whether they are on your site or not. Is that such a major problem? Yes it is! Although no other sites will be able to hot link to your files in their pages, they can put the URL to your file in their page, with instructions telling their user not to click on the link, but to copy it to their browser to watch the movie, or to right click on it and use "Save target as..." to save it. Every time someone does that they are getting unauthorised access and using up your bandwidth.

Who is likely to put links to your files on their sites and include instruction on how to grab your movies? Believe it or not this is becoming very common, and the worst part is that you are unlikely to even know about it, as no referrer info will show up in your logs! There are many movie forums out there covering all sorts of subjects. They exist for the sole purpose of shareing links to movies hosted on other web sites. People post the link to a movie they have found, then explain how to get around the protection if there is any. They also share spoofing tips and proxy software etc.

On top of all this, htaccess it's self is not so secure any more, even for images. It is not dificult for people to get around it if they really want to. One person getting around your htaccess may not be so bad, but one person getting around it and posting links to all your files on a forum, and telling everyone else how to get around it can be a major problem!

How would you know if this was happening to your files?
Because these direct hits do not give any referrer information, you will not see these forums showing up in your web stats. In fact they are very keen not to show up in your web stats! If you notice a lot of "No referrer" hits showing up in your web stats and perhaps you think your bandwidth is higher than it should be, it could be your first clue. One possible way of checking, is to use PhotoPost's file view counter which says how many times a file has been viewed sinse it was uploaded. Look in your web stats. If you have a good one it should show you the files which have been hit the most for any given time period. Compair the number of hits for the same file in PhotoPost for the same time period (the time period being the time since it was uploaded). If you see a higher count in your web stats than what is shown in PhotoPost, it's a pretty likely indication that your files are being robbed, and that you have a mole or moles in your community who are grabbing the links and posting them on other forums.

What can you do to protect movie files in your PhotoPost community?
Well it seems that htaccess is not the answer. It simply does not support movie files in this way. htaccess is also becoming somewhat outdated. It doesn't offer a great deal of security as it can be exploited. Even more importantly though, now that privacy software has become so popular and is now built in to so many other aplications, using htaccess is starting to do web sites more harm than good. This is because most privacy software come preset with private headers enabled, which block their broswer from sending referrer information, so even as a member of your site, they will not be able to access any files that are protected by htaccess, and they will simply give up and go else where. The trouble is, they have no idea what private headers are, or that it's even enabled.

I suspect, like most PhotoPost users I'm not a programmer. So I have looked at other options that don't require programming skills. Right now the best I can come up with is a manual solution, which isn't ideal, but will at least significantly reduce the number of unauthorised hits to your movie files, and will leave plenty of broken links on those forums!

The short term solution.
Once a day or so, go to your PhotoPost directory using your FTP or SSH client and change the name of your data directory. Cange it to something like data278. Then login to your PhotoPost admin, and go to "Edit Options". Update the "Data directory virtual path" and the "Full path to PhotoPost data directory" to reflect the new name of your data directory. You should rename the data directory regularly, then perhaps they may give up posting your file links.

Maybe in the longer term, someone might make a mod to sort the problem out. Or maybe a future release of PhotoPost may have something built in to it to solve this issue. I hope so. PhotoPost is perfect in every way, but for me at least, this is the one thing that lets it down. Although in fairness it is called PhotoPost and not MoviePost, or Security Post, or..........
SLix is offline   Reply With Quote
Old October 1st, 2004, 06:31 PM   #2
Registered User
Join Date: Sep 2002
Posts: 40
Well it seems that htaccess is not the answer. It simply does not support movie files in this way.
Check out this thread for an answer:
DerekT is offline   Reply With Quote

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

All times are GMT -5. The time now is 04:59 PM.

Powered by vBulletin® Version 3.8.1
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.