Leaching / Hotlinking , Authentication 1

[1DMF]

Hello,

I have an ASP app which I use for generating images on my site.

Is there anyway of authenticating the scripts is being called by someone on my site and not someone hotlinking or typing the script URL in the browser?

Thanks,

1DMF.

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!

 

[nickdel]

1DMF, what you could do is create your own image display code and then use a session variable to validate. i.e.

<img src="/displayimages.asp?file=myimg.gif">

and then for displayimages.asp

FileName=Request.QueryString("file")
FilePath="\images\"

if Session("ValidUser")="Y" Then
FullFilePath=FilePath & FileName
Else
FullFilePath=FilePath & "Default.jpg"
End

Response.ContentType = "image/jpeg"
Dim MyImage
Set MyImage= Server.CreateObject("AspImage.Image")
PicImage.LoadImage(FullFilePath)
Response.BinaryWrite MyImage.Image 
Set MyImage= Nothing

Then just stick a bit of code on your pages or in an include file that will set the session "ValidUser". So now is it's not a valid user it will display a default image of your choice, or just remove this and return nothing!

Nick

 

[1DMF]

Hi Nick,

I'm pretty green when it comes to ASP.

How do I set the 'session' and also is this anything to do with cookies?

because i assume it won't work with FF if it is as FF blocks cookies by default.

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!

 

[nickdel]

1DMF, no this is using a server session, no need for cookies.

session("ValidUser") = "Y"

simple as that!

Just stick this at the top of each page and jobs a good one! By default session variables timeout after 20 minutes. You can, if you wish change this using

session.timeout = 5

Nick

 

[nickdel]

err... obviously dont put "session("ValidUser") = "Y"" on your displayimages.asp page otherwise it will defeat the purpose!

 

[1DMF]

Thanks, nearly there just have one last problem.

ASP doesn't work with the SSI directive.

Therefore I cannot get an ASP page to run my perl script.

is it possible to get SSI to process an ASP include?

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!

 

[1DMF]

You're a genius Nick.

Many Many thanks...

here is what I got

<!--#EXEC CGI="/includes/validate.asp"-->
<!--#EXEC CGI="/cgi-bin/get_links.pl?CAT=Books" -->

That processes the ASP include to set session, and also runs my script to actualy produce the visible page.

The ASP file is called as an image source in the resulted HTML code and bobs your uncle!

If the validate.asp isn't included the image doesn't show!

So simple , yet so effective.

Have a great weekend!

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!

 

[nickdel]

No problem, glad I could finally be of service to you, think you've answered many a JS and CSS question of mine in the past!

Cheers

Nick

 

[1DMF]

That's what this forum is all about.

Together, we can get the job done

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!

 

[trollacious]

Here's a link to a different approach that doesn't use cookies. I've successfully used this in the past.

http://rtfm.atrax.co.uk/infinitemonkeys/articles/asp/935.asp

Lee

 

[1DMF]

But Nick said this isn't using cookies?

Plus that approach ususes the HTTP_REFERER environment variable, which is not reliable as browsers such as FireFox withold this piece of data.



"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!

 

[1DMF]

damn, I just tested and Nick's method is using cookies!!

is there no reliable way?

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!

 

[1DMF]

I've also just tested with

ref = Request.ServerVariables("HTTP_REFERER")
response.write "referer = " & ref & "<br />"

and the referer is blank.

I'm using IE7.

so I assume the referer is not a viable option.


"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!

 

[nickdel]

1DMF, really sorry, my bad with the cookie thing. What kind of server are you going to be hosting this on?

 

[1DMF]

Win2003 IIS6 - with ASP, PHP & ActiveState Perl

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!

 

[nickdel]

I believe there is a way to stop this using IIS. Have a quick look on Google for hotlinking IIS scripts, most results are groups and I'm at work so can't get into them I'm afraid but I know there is a way!

 

[1DMF]

I've actually decided to go with the cookie method.

The reason being this is for an affiliates portal directory website.

So if the client doesn't have cookies enabled, I won't get credited for any sales made via the affiliate link.

So hey, no cookies, no pay, it don't matter if my site doesn't show properly.

those visitors won't be earning me anything anyhow.

I know a bit shallow and cut throat, but It's just a little hobby site i'm applying it to , so no biggie, the site is just for fun, because I can and needed a new project to get my teeth into.

I got bored of my record company and closed it , so now I got something else to do ;-)



"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!

 

[nickdel]

haha, know that feeling... I'm forever coming up with some hairbrain scheme just for something to do... one day I'll come up with a facebook or a youtube and then just wait to be googlified!!

Record company??? I'm assuming shop and not label?!

 

[1DMF]

no it was a label, music communinty, top 40 charts where memebers uploaded their own tunes , with profiles, voting system, free membership , members could review tracks in charts and earn credits for free downloads, online mp3 purchasing, internet radio station, yeash it was a cool site really, even if i say so myself!

I'd just finished my 6th album also (as an artist), was about to release it, hosting came up for renewal and just said to the missus. I'M BORED! , took the £500.00 and booked a holiday in GOA, we go in three weeks so can't wait.

doing the golden triangle tour so fly up to dehli after @ 4 days in Goa, then 5 days tour of Jaipur, Agra, Dehli , Taj Mahall , then back to Goa to relax for the last few days.

So i'm not upset with the closure of the site ;-) , i'm working on a 7th album, but it's really a back burner project, so more likely finish it in 6 years rather than the usual 6 months :-(

But I was still bored so now working on this new idea, hell myspace , you tube , you can't be the next .dom mogul, coz i'm gona be - lol


"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!

 

[nickdel]

haha, nice one! Enjoy your hols, sounds cracking! Have you got any of your own stuff online?