httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Yaÿfffffffffff1ez <>
Subject Re: [users@httpd] image folder outside the to access it ?
Date Wed, 26 Sep 2007 20:05:38 GMT
Ok so I will use a dirty example since maybe this will be more clear. Lets asume that I cannot
put images outside the root of my domain for the purposes that you explain. that only leaves
me the option of using normal folders (ex. to put my images in. Lets
say Im running an ADULT website, where users have to pay to register, and then login to get
access to the private pages. I am using php and sessions to verify that indeed the user exists
in my database and that he is a valid user. Everything is perfect here. I then forward the
user to a secure page. This secure verifies the existance of a valid session, and if so, then
displays the content. If the session is not valid then it will redirect the user to another
page asking him to login or whatever. This secure page contains a gallery of a beautifull
girl. A gallery with pictures only registered members are allowed to see. one of the pictures
has a url for example The registered user that is allowed to see that picture,
can save the picture, print the screen, download it etc. I have no control over that I know.
But my problem is that he shouldnt be able to send the link to a friend. nobody should be
able to just type: and have the image opened. Otherwise,
why pay??? if a user figures out the folder structure then he could easily find the other

Now, all this about using a folder outside the root for private pictures was initially suggested
because other people said they actually place fils outside the root that they wanted to be
private and only be served by a page inside the server. Maybe this technique works only for
code files (.php etc). Or at least thats what everyone in this newsletter is telling me. So
then, my question was, how to deliver images (or other media files) that are supposed to be
only accessible to registered users from a folder inside my root, without having the risk
of people just linking to them directly. there is no way to prevent this obviously with any
kind of php script, or java or anything. This has to be done by something (and I assumed it
was apache) in the server. I was almost ready to start using .htaccess but then on the official
apache website: they suggest not using
an .htaccess file because it slow down the
 server plus it is insecure. 

My question to you guys now is different, what are the reccomended ways to have a secure folder
in my website that will only deliver its content to users when it is requested by a script
inside my serer? if it really has nothing to do with apache, then Im sorry, but I think it
is a combination of a server language like php and apache...maybe Im wrong, but I would like
any suggestions opinions you guys might have. 

Thanks again, and sorry for so many questions, I hope I can get the answers to my questions
or at least better ideas of where to look at. 
Cheers !!

----- Original Message ----
From: Boyle Owen <>
Sent: Wednesday, September 26, 2007 2:25:48 AM
Subject: RE: [users@httpd] image folder outside the to access it ?

> -----Original Message-----
> From: Daniel Yaÿfffffffffff1ez [] 
> Sent: Wednesday, September 26, 2007 4:03 AM
> To:
> Subject: Re: [users@httpd] image folder outside the 
> to access it ?
> Thanks for the Info Joshua I will read it and see what I can 
> learn, although I have a couple things to point out. The 
> solution Im looking for was not originally intended to stop 
> hot linking, but simply, just as a way to have pictures in a 
> private folders that could only be accessed by a specific 
> user. Lets say someone uploads a picture to their private 
> page, no body should be able to access that picture but the 
> owner of that picture. without any kind of security anyone 
> can type the picture folder + name and access it like this 

It sounds like you are looking for "security" - ie, password-controlled access. Or, a web
application like coppermine (google for details...) 

> And so I started doing 
> some research and I have found lots of places and articles 
> that suggest that for my prloblem I should just use a folder 
> outside of the root of my domain. 

This would only make sense in the context of a web application that is fetching the images
dynamically (ie, mapping the dynamic URLs to arbitrary file locations). If you have a link,
post it and I'll have a look...

> The way everyone talks 
> about it seems like it should be a simple thing, like 
> something that shouldnt be hard. Yet I cant do it. Just as a 
> final note, I have been able to access files outside the 
> root, files like .php by
>  using include() to call those files. We where even able to 
> open jpgs as binary and convert them back to jpgs with some 
> php functions.

Yes - that's a PHP application that is handling the request and reading the files off the
disk. This bypasses apache so can't be emulated by apache config directives. 

> Yet we should need to do this for all the 
> secure images in my website. I know there has to be other 
> ways to achieve this. 

I think you are confusing server-sided web applications, like PHP, with apache. Apache is
just a web server; it gets files off disks and sends them down the wire. It can also pass
requests to other applications on the server (handlers, like PHP) and they can get data for
it, but they are not bound by or controlled  by the apache config.

You can't do what you want to do with apache alone.

Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 

> ----- Original Message ----
> From: Joshua Slive <>
> To:
> Sent: Tuesday, September 25, 2007 1:22:16 PM
> Subject: Re: [users@httpd] image folder outside the 
> to access it ?
> On 9/25/07, Daniel Yaÿfffffffffff1ez <> wrote:
> > Hello everyone, I have been trying to make this work but so 
> far I havent been able to successfully load an image (or 
> other media file) that is in a folder outside the root of my 
> domain. I initially wanted to do this in order to be able to 
> deliver this images from code running inside my serer, but to 
> prevent people from linking directly to the image (or file) 
> using the address bar (example: 
> >
> > I know it might be possible to achieve this using an 
> .htaccess but I heard they are a little bit unsecure plus the 
> slow down the server. (in the apache website they reccomend 
> not using it).
> >
> > My problem is that whenever I try to link to an image 
> outise the root it simply will not work. For example lets say 
> my fictional root folder is this one: www/var/public_html/    
> and lets just say the index of my website then is this:    
> www/var/public_html/index.html   now lets just say I want to 
> put my images in a folder located outside the root, like 
> this:    www/images/image1.jpg etc. I should be able to link 
> to the image like this from my index.html file: 
> ../images/image1.jpg but it doesnt work. Ive tried several 
> combinations but nothing seems to work.
> >
> > My question to you guys is if you know what apache setting 
> needs to be turned on (or off) to enable this? or how should 
> I link to images outside the root.
> >
> > Thanks in advanced and I hope anyone here can help me 
> because I have looked in a lot of places with no success. 
> Thanks again !!!
> >
> You've got a fundamental problem here: If the image file is not
> accessible from the web, then it can't be embedded in an html page. In
> order for the image to be displayed as part of the html page, the
> browser makes a separate request for the image that, to the server,
> looks identical to a request for the image alone (with the important
> exception of the content of the Referer HTTP request header). Putting
> the images outside the root is not, in itself, a problem. You can
> simply use an Alias to map them into the webspace so they are
> accessible from the web. But this will not help your direct linking
> problem.
> Here's my suggestion: 1. Check to see if you really have a direct
> linking problem. Is this really causing you serious problems? Can you
> fix it just by occasionally changing the name of your image file? 2.
> If you decide you really need to prevent hotlinking/embedding of your
> images in external pages, use one of the suggestions here:
> Note that neither of these require the use of .htaccess.
> Joshua.
> ______________________________________________________________
> ______________________
> Moody friends. Drama queens. Your life? Nope! - their life, 
> your story. Play Sims Stories at Yahoo! Games.
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP 
> Server Project.
> See <URL:> for more info.
> To unsubscribe, e-mail:
>    "   from the digest:
> For additional commands, e-mail:
This message is for the named person's use only. It may contain confidential, proprietary
or legally privileged information. No confidentiality or privilege is waived or lost by any
mistransmission. If you receive this message in error, please notify the sender urgently and
then immediately delete the message and any copies of it from your system. Please also immediately
destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose,
distribute, print, or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail communications through their
networks. Any views expressed in this message are those of the individual sender, except where
the message states otherwise and the sender is authorised to state them to be the views of
the sender's company.

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

Catch up on fall's hot new shows on Yahoo! TV. Watch previews, get listings, and more! 

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message