How to "protect" a link.
2006-11-20
Here i will show you how you can protect a link from being copied and used by another person
than you gave permission for. Giving permission here is for example forcing the user to view
the picture on YOUR page. Ofcource he can copy the picture and upload it to another server but
thats not really the point here.

If you got an picture you want to prevent hotlinking as well as preventing people from cut and paste it
over an IM-client to a friend. You may want to force a person to view the whole page and then be able to view the
pictures on it. 

The solution does not use any login procedure or saving any cookies but rather generating a uniqe link
for that individual visiting your page. We will also ignore referers becouse that is easely abused.

To generate the link we will use a secret salt, checksum of the file, the visitors IP-adress and the user agent string from the visitors
browser and make a SHA1 (or whatever you prefer) checksum. The secret salt can be anything from a couple of words to
just banging on the keyboard for 5 seconds.

This script generates a link for YOU and probably only you.


<?PHP

$file = "the_secret_picture.jpg";

$secret = "this is a secret salt string... Mooo I am a cat that says mooo!";

$ip = $_SERVER['REMOTE_ADDR'];

$agent = $_SERVER['HTTP_USER_AGENT'];

$hash = sha1($secret.$ip.$agent.$file);



print "<img src=\"http://www.netrogenic.com/public/linkprotection/show.php?id=$hash\">";

?>



The link would be http://www.netrogenic.com/public/linkprotection/show.php?id=2193ffa8c6bf97e33b48a371d2be85e1c00b2085

Wich result in the picture below. Now for the fun part.
Try to get the URL to the picture and load it from Firefox (if you are using explorer now) or
MSIE if you are using Mozilla/FireFox/ICEferret/whatever. You should not be able to view
the picture. But if you load this page you will se it.
If you cut out the URL to the picture and IM it to your friend he must have the same IP,exact same user agent string
to be able to se it if he doeas not visit the page.



The script show.php

<?PHP

$file = "the_secret_picture.jpg";

$secret = "this is a secret salt string... Mooo I am a cat that says mooo!";

$ip = $_SERVER['REMOTE_ADDR'];

$agent = $_SERVER['HTTP_USER_AGENT'];

$hash = sha1($secret.$ip.$agent.$file);



if($hash != $_GET['id']) {

  header("HTTP/1.0 404 Not Found");  

  die();

}



header('Content-Type: image/jpeg');

print file_get_contents($file);





?>




Variations :
By removing ip and agent and inserting the date and or time (YYYYMMDD) and thus making the link self destruct the next day
but can be viewed by anyone untill then.

My examples are static and can be made more general and that is up to your implementation.