Need advice on protecting members-only content

viktor · 2005-05-04, 02:15 AM

I've seen a lot of good advice here about protecting freely-available content (TGP, etc) from hotlinking. My problem is similar, but has to do with paid members-only content.

The reason I don't see the REFERER checking as viable in this scenario is because that client-supplied input is very easy to spoof.

Here's the scenario:
* I have a membership database
* I only want my members to access certain photo galleries

Seems like the most basic thing, right? So how do you folks get it done? How do you make sure that the only person who can get an image from a specific directory hierarchy is one of your members?

I have a couple of ideas, but they all seem to me like they're "warm" but not "quite there":

Solution 1: Keep the image galleries in a non-world-readable location (like one dir up from your webroot). Use mod_rewrite in .htaccess to mask this from the user, and when an image (or whatever) is requested, use server-side PHP to authenticate the user (by method of your choice), read the image from server-only directory and write it out to the client.

Solution 2: In a parent directory for all restricted content (movies, images, etc), use .htaccess to set the handler for those filetypes (jpg, avi, whatever) to something like checkauth.php. This file would then authenticate the user (by method of your choice), then read the requested file from server and write it out to the client.

But these are just my home-baked ideas, I'm curious about how it's done in the "real world".

Thanks!

Viktor

2005-05-04, 02:15 AM	#1
viktor Internet! Is that thing still around? Join Date: May 2005 Posts: 2	Need advice on protecting members-only content I've seen a lot of good advice here about protecting freely-available content (TGP, etc) from hotlinking. My problem is similar, but has to do with paid members-only content. The reason I don't see the REFERER checking as viable in this scenario is because that client-supplied input is very easy to spoof. Here's the scenario: * I have a membership database * I only want my members to access certain photo galleries Seems like the most basic thing, right? So how do you folks get it done? How do you make sure that the only person who can get an image from a specific directory hierarchy is one of your members? I have a couple of ideas, but they all seem to me like they're "warm" but not "quite there": Solution 1: Keep the image galleries in a non-world-readable location (like one dir up from your webroot). Use mod_rewrite in .htaccess to mask this from the user, and when an image (or whatever) is requested, use server-side PHP to authenticate the user (by method of your choice), read the image from server-only directory and write it out to the client. Solution 2: In a parent directory for all restricted content (movies, images, etc), use .htaccess to set the handler for those filetypes (jpg, avi, whatever) to something like checkauth.php. This file would then authenticate the user (by method of your choice), then read the requested file from server and write it out to the client. But these are just my home-baked ideas, I'm curious about how it's done in the "real world". Thanks! Viktor

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes	Rate This Thread
Switch to Linear Mode Switch to Hybrid Mode Threaded Mode	Rate This Thread: