Need advice on protecting members-only content

viktor · 2005-05-04, 02:15 AM

I've seen a lot of good advice here about protecting freely-available content (TGP, etc) from hotlinking. My problem is similar, but has to do with paid members-only content.

The reason I don't see the REFERER checking as viable in this scenario is because that client-supplied input is very easy to spoof.

Here's the scenario:
* I have a membership database
* I only want my members to access certain photo galleries

Seems like the most basic thing, right? So how do you folks get it done? How do you make sure that the only person who can get an image from a specific directory hierarchy is one of your members?

I have a couple of ideas, but they all seem to me like they're "warm" but not "quite there":

Solution 1: Keep the image galleries in a non-world-readable location (like one dir up from your webroot). Use mod_rewrite in .htaccess to mask this from the user, and when an image (or whatever) is requested, use server-side PHP to authenticate the user (by method of your choice), read the image from server-only directory and write it out to the client.

Solution 2: In a parent directory for all restricted content (movies, images, etc), use .htaccess to set the handler for those filetypes (jpg, avi, whatever) to something like checkauth.php. This file would then authenticate the user (by method of your choice), then read the requested file from server and write it out to the client.

But these are just my home-baked ideas, I'm curious about how it's done in the "real world".

Thanks!

Viktor

dgraf · 2005-05-11, 10:38 AM

What about keeping the content in the same directory/structure as other members only (password protected) content?

venturi · 2005-05-12, 03:59 AM

If you really want to protect your member areas from hotlinkers, cheaters, hackers, etc. then you should be looking at the products on the market out there specifically designed to do this. Like:
PennyWize
StrongBox

2005-05-04, 02:15 AM	#1
viktor Internet! Is that thing still around? Join Date: May 2005 Posts: 2	Need advice on protecting members-only content I've seen a lot of good advice here about protecting freely-available content (TGP, etc) from hotlinking. My problem is similar, but has to do with paid members-only content. The reason I don't see the REFERER checking as viable in this scenario is because that client-supplied input is very easy to spoof. Here's the scenario: * I have a membership database * I only want my members to access certain photo galleries Seems like the most basic thing, right? So how do you folks get it done? How do you make sure that the only person who can get an image from a specific directory hierarchy is one of your members? I have a couple of ideas, but they all seem to me like they're "warm" but not "quite there": Solution 1: Keep the image galleries in a non-world-readable location (like one dir up from your webroot). Use mod_rewrite in .htaccess to mask this from the user, and when an image (or whatever) is requested, use server-side PHP to authenticate the user (by method of your choice), read the image from server-only directory and write it out to the client. Solution 2: In a parent directory for all restricted content (movies, images, etc), use .htaccess to set the handler for those filetypes (jpg, avi, whatever) to something like checkauth.php. This file would then authenticate the user (by method of your choice), then read the requested file from server and write it out to the client. But these are just my home-baked ideas, I'm curious about how it's done in the "real world". Thanks! Viktor

2005-05-11, 10:38 AM	#2
dgraf If something goes wrong at the plant, blame the guy who can't speak English Join Date: Jul 2004 Posts: 30	What about keeping the content in the same directory/structure as other members only (password protected) content? __________________ Bright Porn \| Webmasters \| Free Galleries \| List of Sponsors \| Traffic Trades

2005-05-12, 03:59 AM	#3
venturi No offence Apu, but when they were handing out religions you must have been out taking a whizz Join Date: Apr 2003 Location: An Oasis atop a High Desert Mesa Posts: 282	If you really want to protect your member areas from hotlinkers, cheaters, hackers, etc. then you should be looking at the products on the market out there specifically designed to do this. Like: PennyWize StrongBox __________________ Please Re-Read The Rules For Sig Files