How to "protect" a link.

2006-11-20 Here i will show you how you can protect a link from being copied and used by another person than you gave permission for. Giving permission here is for example forcing the user to view the picture on YOUR page. Ofcource he can copy the picture and upload it to another server but thats not really the point here. If you got an picture you want to prevent hotlinking as well as preventing people from cut and paste it over an IM-client to a friend. You may want to force a person to view the whole page and then be able to view the pictures on it. The solution does not use any login procedure or saving any cookies but rather generating a uniqe link for that individual visiting your page. We will also ignore referers becouse that is easely abused. To generate the link we will use a secret salt, checksum of the file, the visitors IP-adress and the user agent string from the visitors browser and make a SHA1 (or whatever you prefer) checksum. The secret salt can be anything from a couple of words to just banging on the keyboard for 5 seconds. This script generates a link for YOU and probably only you. <?PHP
$file 
"the_secret_picture.jpg";
$secret "this is a secret salt string... Mooo I am a cat that says mooo!";
$ip $_SERVER['REMOTE_ADDR'];
$agent $_SERVER['HTTP_USER_AGENT'];
$hash sha1($secret.$ip.$agent.$file);

print 
"<img src=\"http://www.netrogenic.com/public/linkprotection/show.php?id=$hash\">";
?>
The link would be http://www.netrogenic.com/public/linkprotection/show.php?id=6ee38b76ac950a3d74725bec28c6fcba93e41d0e Wich result in the picture below. Now for the fun part. Try to get the URL to the picture and load it from Firefox (if you are using explorer now) or MSIE if you are using Mozilla/FireFox/ICEferret/whatever. You should not be able to view the picture. But if you load this page you will se it. If you cut out the URL to the picture and IM it to your friend he must have the same IP,exact same user agent string to be able to se it if he doeas not visit the page. The script show.php <?PHP
$file 
"the_secret_picture.jpg";
$secret "this is a secret salt string... Mooo I am a cat that says mooo!";
$ip $_SERVER['REMOTE_ADDR'];
$agent $_SERVER['HTTP_USER_AGENT'];
$hash sha1($secret.$ip.$agent.$file);

if(
$hash != $_GET['id']) {
  
header("HTTP/1.0 404 Not Found");  
  die();
}

header('Content-Type: image/jpeg');
print 
file_get_contents($file);


?>
Variations : By removing ip and agent and inserting the date and or time (YYYYMMDD) and thus making the link self destruct the next day but can be viewed by anyone untill then. My examples are static and can be made more general and that is up to your implementation.