Framed & Linked Content
This is a discussion on Framed & Linked Content within the PHP General forums, part of the PHP Programming Forums category; There is JavaScript out there, to make a page break out of frames if someone else has your page in ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
01-29-2008
|
|||
|
|||
Framed & Linked Content
There is JavaScript out there, to make a page break out of frames if
someone else has your page in a frame of theirs. Is it possible to do this with PHP or is that the wrong side of Server/Client-side operations? Related, when target files are PDF's, images, or other than ..php/.htm(l), does PHP provide any remedies against that sort of remote site linking? Mike 
|
|
01-29-2008
|
|||
|
|||
|
Re: [PHP] Framed & Linked Content
Mike Potter wrote:
> There is JavaScript out there, to make a page break out of frames if > someone else has your page in a frame of theirs. > Is it possible to do this with PHP or is that the wrong side of > Server/Client-side operations? I haven't checked, but I'm wondering if the REFERER field might help you if want to do a server-side redirect. > Related, when target files are PDF's, images, or other than > .php/.htm(l), does PHP provide any remedies against that > sort of remote site linking? Check the REFERER field. /Per Jessen, Zürich
|
|
01-29-2008
|
|||
|
|||
|
Re: [PHP] Framed & Linked Content
On Tue, 2008-01-29 at 10:21 -0500, Mike Potter wrote: > There is JavaScript out there, to make a page break out of frames if > someone else has your page in a frame of theirs. > Is it possible to do this with PHP or is that the wrong side of > Server/Client-side operations? PHP can echo the JavaScript that facilitates the break out. > > Related, when target files are PDF's, images, or other than > .php/.htm(l), does PHP provide any remedies against that > sort of remote site linking? The only remedy agaonst remote linking is to embed some kind of expiration in the link that accesses the document. I usually do this by using a combination of the document ID, a timestamp, and salt, and md5 or sha1. For instance the following: <?php $id = 'THE DOCUMENT ID :)'; $now = time(); $salt = 'Some site specific salt.'; $accessId = $id.':'.$now.':'.sha1( $id.':'.$now.':'.$salt ); echo '<a href="/docs/myDocument.php?id='.urlencode( $accessId ).'">' .'The Document' .'</a>'; ?> Then when someone actually requests the page we do the following: <?php $salt = 'Some site specific salt.'; $lifespan = 2 * 24 * 60 * 60; // 2 days if( !($accessId = isset( $_GET['id'] ) ? $_GET['id'] : false) ) { die( 'No document requested.' ); } list( $id, $timestamp, $code ) = explode( ':', $accessId ); if( $code !== sha1( $id.':'.$timestamp.':'.$salt ) ) { die( 'Invalid document request.' ); } if( (time() - $lifespan) > $timestamp ) { die( 'Document has expired.' ); } // Otherwise flush document to browser. ?> Now this doesn't stop anyone from saving the document locally but it does prevent linking to your site and wasting your resources. The key to the method is that only you know the $salt and so only you can create the encoding that validates the passed ID and timestamp. You can also add more attributes to the encoding such as a user ID. Then you could ensure the user is logged in, and that the access ID must match their logged in ID. Cheers, Rob. -- ..------------------------------------------------------------. | InterJinn Application Framework - http://www.interjinn.com | :------------------------------------------------------------: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `------------------------------------------------------------'
|
|
01-29-2008
|
|||
|
|||
|
Re: [PHP] Framed & Linked Content
On Jan 29, 2008, at 10:58 AM, Robert Cummings wrote: > > On Tue, 2008-01-29 at 10:21 -0500, Mike Potter wrote: >> There is JavaScript out there, to make a page break out of frames if >> someone else has your page in a frame of theirs. >> Is it possible to do this with PHP or is that the wrong side of >> Server/Client-side operations? > > PHP can echo the JavaScript that facilitates the break out. > >> >> Related, when target files are PDF's, images, or other than >> .php/.htm(l), does PHP provide any remedies against that >> sort of remote site linking? > > The only remedy agaonst remote linking is to embed some kind of > expiration in the link that accesses the document. I usually do this > by > using a combination of the document ID, a timestamp, and salt, and md5 > or sha1. For instance the following: > > <?php > > $id = 'THE DOCUMENT ID :)'; > $now = time(); > $salt = 'Some site specific salt.'; > > $accessId = $id.':'.$now.':'.sha1( $id.':'.$now.':'.$salt ); > > echo '<a href="/docs/myDocument.php?id='.urlencode( $accessId ).'">' > .'The Document' > .'</a>'; > > ?> > > Then when someone actually requests the page we do the following: > > <?php > > $salt = 'Some site specific salt.'; > $lifespan = 2 * 24 * 60 * 60; // 2 days > > if( !($accessId = isset( $_GET['id'] ) ? $_GET['id'] : false) ) > { > die( 'No document requested.' ); > } > > list( $id, $timestamp, $code ) = explode( ':', $accessId ); > > if( $code !== sha1( $id.':'.$timestamp.':'.$salt ) ) > { > die( 'Invalid document request.' ); > } > > if( (time() - $lifespan) > $timestamp ) > { > die( 'Document has expired.' ); > } > > // Otherwise flush document to browser. > > ?> > > Now this doesn't stop anyone from saving the document locally but it > does prevent linking to your site and wasting your resources. The > key to > the method is that only you know the $salt and so only you can create > the encoding that validates the passed ID and timestamp. You can also > add more attributes to the encoding such as a user ID. Then you could > ensure the user is logged in, and that the access ID must match their > logged in ID. > > Cheers, > Rob. I'm probably about to show my ignorance here... But by showing it hopefully, I can learn from it! Wouldn't it be just as effective to have a salt that gets passed to the script and do something like: if($salt ="Correct salt"){ //display correct picture }else{ //display some random picture of a guy flipping you the bird and echo out Don't steal my pictures } Now that I type that out, I see that it will still use bandwidth which if you are on a measured plan I could see being a problem. So I think I just convinced my self that yours is better... Any thing really wrong with my idea though? -- Jason Pruim Raoset Inc. Technology Manager MQC Specialist 3251 132nd ave Holland, MI, 49424 www.raoset.com japruim@raoset.com
|
|
01-29-2008
|
|||
|
|||
|
Re: [PHP] Framed & Linked Content
On Tue, 2008-01-29 at 11:12 -0500, Jason Pruim wrote: > On Jan 29, 2008, at 10:58 AM, Robert Cummings wrote: > > > > > On Tue, 2008-01-29 at 10:21 -0500, Mike Potter wrote: > >> There is JavaScript out there, to make a page break out of frames if > >> someone else has your page in a frame of theirs. > >> Is it possible to do this with PHP or is that the wrong side of > >> Server/Client-side operations? > > > > PHP can echo the JavaScript that facilitates the break out. > > > >> > >> Related, when target files are PDF's, images, or other than > >> .php/.htm(l), does PHP provide any remedies against that > >> sort of remote site linking? > > > > The only remedy agaonst remote linking is to embed some kind of > > expiration in the link that accesses the document. I usually do this > > by > > using a combination of the document ID, a timestamp, and salt, and md5 > > or sha1. For instance the following: > > > > <?php > > > > $id = 'THE DOCUMENT ID :)'; > > $now = time(); > > $salt = 'Some site specific salt.'; > > > > $accessId = $id.':'.$now.':'.sha1( $id.':'.$now.':'.$salt ); > > > > echo '<a href="/docs/myDocument.php?id='.urlencode( $accessId ).'">' > > .'The Document' > > .'</a>'; > > > > ?> > > > > Then when someone actually requests the page we do the following: > > > > <?php > > > > $salt = 'Some site specific salt.'; > > $lifespan = 2 * 24 * 60 * 60; // 2 days > > > > if( !($accessId = isset( $_GET['id'] ) ? $_GET['id'] : false) ) > > { > > die( 'No document requested.' ); > > } > > > > list( $id, $timestamp, $code ) = explode( ':', $accessId ); > > > > if( $code !== sha1( $id.':'.$timestamp.':'.$salt ) ) > > { > > die( 'Invalid document request.' ); > > } > > > > if( (time() - $lifespan) > $timestamp ) > > { > > die( 'Document has expired.' ); > > } > > > > // Otherwise flush document to browser. > > > > ?> > > > > Now this doesn't stop anyone from saving the document locally but it > > does prevent linking to your site and wasting your resources. The > > key to > > the method is that only you know the $salt and so only you can create > > the encoding that validates the passed ID and timestamp. You can also > > add more attributes to the encoding such as a user ID. Then you could > > ensure the user is logged in, and that the access ID must match their > > logged in ID. > > > > Cheers, > > Rob. > > > I'm probably about to show my ignorance here... But by showing it > hopefully, I can learn from it! Wouldn't it be just as effective to > have a salt that gets passed to the script and do something like: > > if($salt ="Correct salt"){ > //display correct picture > }else{ > //display some random picture of a guy flipping you the bird and echo > out Don't steal my pictures > } > > Now that I type that out, I see that it will still use bandwidth which > if you are on a measured plan I could see being a problem. > > So I think I just convinced my self that yours is better... Any thing > really wrong with my idea though? You can't pass the salt, the salt is like a password. If the end user knows it they could arbitrarily change the document ID or timestamp in which case access is no longer under your control. This is why we create a sha1 encoding based on the document ID, the timestamp, and the salt. If any of the parameters changes we don't get the access code and so we know that tampering has occurred with the request parameters. Cheers, Rob. -- ..------------------------------------------------------------. | InterJinn Application Framework - http://www.interjinn.com | :------------------------------------------------------------: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `------------------------------------------------------------'
|
|
01-29-2008
|
|||
|
|||
|
Re: [PHP] Framed & Linked Content
Robert Cummings wrote:
> The only remedy agaonst remote linking is to embed some kind of > expiration in the link that accesses the document. Wouldn't a check of the REFERER field be enough to disable most remote links? (I know it is easily forged.) /Per Jessen, Zürich
|
|
01-29-2008
|
|||
|
|||
|
Re: [PHP] Framed & Linked Content
On Tue, 2008-01-29 at 17:32 +0100, Per Jessen wrote: > Robert Cummings wrote: > > > The only remedy agaonst remote linking is to embed some kind of > > expiration in the link that accesses the document. > > Wouldn't a check of the REFERER field be enough to disable most remote > links? (I know it is easily forged.) Referer value is completely worthless. Many people completely disable it-- such as myself :) Cheers, Rob. -- ..------------------------------------------------------------. | InterJinn Application Framework - http://www.interjinn.com | :------------------------------------------------------------: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `------------------------------------------------------------'
|
|
01-29-2008
|
|||
|
|||
|
Re: [PHP] Framed & Linked Content
Robert Cummings wrote:
> > On Tue, 2008-01-29 at 17:32 +0100, Per Jessen wrote: >> Robert Cummings wrote: >> >> > The only remedy agaonst remote linking is to embed some kind of >> > expiration in the link that accesses the document. >> >> Wouldn't a check of the REFERER field be enough to disable most >> remote >> links? (I know it is easily forged.) > > Referer value is completely worthless. Many people completely disable > it-- such as myself :) Well then - for people who've disabled it, there's no remote linking to your content. All done. /Per Jessen, Zürich
|
|
01-29-2008
|
|||
|
|||
|
Re: disable referer ? (was: Framed & Linked Content)
Robert Cummings wrote:
> Referer value is completely worthless. Many people completely disable > it-- such as myself :) But most people probably don't - 'coz most don't know how to edit e.g. the firefox config. What is the purpose of disabling it? /Per Jessen, Zürich
|
|
01-29-2008
|
|||
|
|||
|
Re: [PHP] Framed & Linked Content
Per Jessen wrote:
> Well then - for people who've disabled it, there's no remote linking > to your content. All done. Btw, apache does a good job of dealing with remote links: RewriteCond %{HTTP_REFERER} !^https?://jessen.ch/ RewriteRule /images/(.*) http://jessen.ch/no-remote-linking-please?item=$1 It's a rough example, but the idea should be obvious. /Per Jessen, Zürich
|
 |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT +1. The time now is 02:54 PM.
