Results 1 to 5 of 5

Thread: htaccess question

  1. #1
    Join Date
    Jan 2007
    Location
    Davenport, Iowa
    Posts
    2,287
    Thanks
    97
    Thanked 104 Times in 102 Posts

    Default htaccess question

    I am looking for a way to create a folder of images that is private. The images can't be inserted into a document without having htaccess permission or something equivalent. I don't want to have to login each time I want the file to fully load, so I figure I could add a limited number of ip addresses that are permitted allowed and the rest would need to enter the password. If an unlisted ip address user enters the correct password the htaccess file will update the list of allowed ip address users so that the person will not need to enter a password next time.

    Anyone have ideas or could point me in the right direction? I have used htaccess in the past, but it has been several years now.
    Last edited by james438; 03-08-2010 at 06:22 AM.
    To choose the lesser of two evils is still to choose evil. My personal site

  2. #2
    Join Date
    Mar 2006
    Location
    Illinois, USA
    Posts
    12,164
    Thanks
    265
    Thanked 690 Times in 678 Posts

    Default

    I don't know how you would add an IP to the OK list. That seems hard.
    The rest sounds like basic stuff you can find on google.


    If I were approaching this problem, I would use this method:
    http://dynamicdrive.com/forums/showthread.php?t=51923

    Once you do that, you can then use a single index.php page to serve all files in the folder. None can be accessed directly.

    You can setup user logins, etc., and it will be fine. That removes .htaccess from the complications and you can do anything you want with PHP.


    It's much easier to have a no hotlinking setup (or something similar like this) with just a standard htaccess file, but I have no idea if it's even possible to dynamically modify the IP addresses allowed.


    One possibility is that you could combine the methods:
    Have a .htaccess file that allows certain IPs.
    If allowed, proceed to image.
    If not allowed, forward to your php login page. Once logged in, add their IP to that list (.htaccess? .txt? whatever) using PHP, then they never have to do that again. And you could then show them the image or just say "now go back and reload the page".


    Of course the other problem here is that if you do this, the images won't load when embedded on a page and html will be shown instead (causing errors, probably). If you want to display an alternate image that gets more complex too.


    One final suggestion for all of this that would handle everything in a slightly more "proper" way:
    1. Use htaccess with an "ok" IP list.
    2. Use a php page to serve the images, like page.php?image=123
    3. Once that page is accessed, use PHP to dynamically modify the IP address list that is allowed without the password.




    Remember: if you are going to serve images using php, this means you'll need to first output the proper headers. This is crucial.
    Daniel - Freelance Web Design | <?php?> | <html>| espa˝ol | Deutsch | italiano | portuguŕs | catalÓ | un peu de franšais | some knowledge of several other languages: I can sometimes help translate here on DD | Linguistics Forum

  3. #3
    Join Date
    Jan 2007
    Location
    Davenport, Iowa
    Posts
    2,287
    Thanks
    97
    Thanked 104 Times in 102 Posts

    Default

    Sorry for the late reply. I will certainly look into and try to adopt your suggestion to my site.
    To choose the lesser of two evils is still to choose evil. My personal site

  4. #4
    Join Date
    Jan 2007
    Location
    Davenport, Iowa
    Posts
    2,287
    Thanks
    97
    Thanked 104 Times in 102 Posts

    Default

    Ok, I have something that works. I am using the last method you mentioned and will update it later to use your second method using a combination of htaccess and php.

    For those wondering about the basic format of the code here it is:
    Code:
    <Limit GET POST> 
    order deny,allow
    deny from all
    allow from 1.2.3.4
    </Limit>
    I have one security question. I hear that sessions and htaccess are really secure and that you should not post anything sensitive online, like bank account stuff, etc, but hypothetically I do post my bank account to this htaccess protected folder and I have tested the htaccess program on other computers and see that the program does indeed work. I also am very careful with whose IP address is in the allow list. Namely only myself. Would you say that is pretty secure?

    Really, I just plan on using it to store copyrighted material.
    To choose the lesser of two evils is still to choose evil. My personal site

  5. #5
    Join Date
    Mar 2006
    Location
    Illinois, USA
    Posts
    12,164
    Thanks
    265
    Thanked 690 Times in 678 Posts

    Default

    In theory, it is totally secure. In reality, it probably will remain totally secure. There is a chance though that your server may be compromised and that will then be visible. Any possible way onto your server (like hacking your database or uploading a php page) may give access to the htaccess file.
    Just like PHP source it SHOULD not be visible, but it's not guaranteed that no one will ever see it. For example, your host may have access and if they aren't trustworthy, then that already is someone other than yourself.

    Realistically with copyrighted material it will never be that big a problem, but it's not a guarantee beyond the overall safety of your server.

    Basically it's the same reasons it's a bad idea to write down your passwords and leave a notecard in your desk drawer with them-- if someone breaks into your house, they can get into your email, bank account, etc.
    Is it realistically a problem? Probably not. And if that did happen would that be your biggest concern? Probably not.


    In short, NEVER put anything crucial anywhere that is not completely secure. In fact, sensitive enough information should not be put ANYWHERE. Beyond that, htaccess is about as good as it'll get.
    Daniel - Freelance Web Design | <?php?> | <html>| espa˝ol | Deutsch | italiano | portuguŕs | catalÓ | un peu de franšais | some knowledge of several other languages: I can sometimes help translate here on DD | Linguistics Forum

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •