htaccess question

[james438]

I am looking for a way to create a folder of images that is private. The images can't be inserted into a document without having htaccess permission or something equivalent. I don't want to have to login each time I want the file to fully load, so I figure I could add a limited number of ip addresses that are permitted allowed and the rest would need to enter the password. If an unlisted ip address user enters the correct password the htaccess file will update the list of allowed ip address users so that the person will not need to enter a password next time.

Anyone have ideas or could point me in the right direction? I have used htaccess in the past, but it has been several years now.

[djr33]

I don't know how you would add an IP to the OK list. That seems hard.
The rest sounds like basic stuff you can find on google.


If I were approaching this problem, I would use this method:
http://dynamicdrive.com/forums/showthread.php?t=51923

Once you do that, you can then use a single index.php page to serve all files in the folder. None can be accessed directly.

You can setup user logins, etc., and it will be fine. That removes .htaccess from the complications and you can do anything you want with PHP.


It's much easier to have a no hotlinking setup (or something similar like this) with just a standard htaccess file, but I have no idea if it's even possible to dynamically modify the IP addresses allowed.


One possibility is that you could combine the methods:
Have a .htaccess file that allows certain IPs.
If allowed, proceed to image.
If not allowed, forward to your php login page. Once logged in, add their IP to that list (.htaccess? .txt? whatever) using PHP, then they never have to do that again. And you could then show them the image or just say "now go back and reload the page".


Of course the other problem here is that if you do this, the images won't load when embedded on a page and html will be shown instead (causing errors, probably). If you want to display an alternate image that gets more complex too.


One final suggestion for all of this that would handle everything in a slightly more "proper" way:
1. Use htaccess with an "ok" IP list.
2. Use a php page to serve the images, like page.php?image=123
3. Once that page is accessed, use PHP to dynamically modify the IP address list that is allowed without the password.




Remember: if you are going to serve images using php, this means you'll need to first output the proper headers. This is crucial.

[james438]

Sorry for the late reply. I will certainly look into and try to adopt your suggestion to my site.

[james438]

Ok, I have something that works. I am using the last method you mentioned and will update it later to use your second method using a combination of htaccess and php.

For those wondering about the basic format of the code here it is:

Code:

<Limit GET POST> 
order deny,allow
deny from all
allow from 1.2.3.4
</Limit>

I have one security question. I hear that sessions and htaccess are really secure and that you should not post anything sensitive online, like bank account stuff, etc, but hypothetically I do post my bank account to this htaccess protected folder and I have tested the htaccess program on other computers and see that the program does indeed work. I also am very careful with whose IP address is in the allow list. Namely only myself. Would you say that is pretty secure?

Really, I just plan on using it to store copyrighted material.

[djr33]

In theory, it is totally secure. In reality, it probably will remain totally secure. There is a chance though that your server may be compromised and that will then be visible. Any possible way onto your server (like hacking your database or uploading a php page) may give access to the htaccess file.
Just like PHP source it SHOULD not be visible, but it's not guaranteed that no one will ever see it. For example, your host may have access and if they aren't trustworthy, then that already is someone other than yourself.

Realistically with copyrighted material it will never be that big a problem, but it's not a guarantee beyond the overall safety of your server.

Basically it's the same reasons it's a bad idea to write down your passwords and leave a notecard in your desk drawer with them-- if someone breaks into your house, they can get into your email, bank account, etc.
Is it realistically a problem? Probably not. And if that did happen would that be your biggest concern? Probably not.


In short, NEVER put anything crucial anywhere that is not completely secure. In fact, sensitive enough information should not be put ANYWHERE. Beyond that, htaccess is about as good as it'll get.