1.44 build 178


Please rate DAlbum at HotScripts.com
Please rate DAlbum at @ PHP-Resource.de
Rate DAlbum @ The PHP Resource Index
Script Rating:
Securing DAlbum installation   
Secure DAlbum installation ensures that:
  • DAlbum private files (stored in ./.private folder) cannot be accessed from browser.
  • Pictures from password-protected albums cannot be downloaded without knowing valid username and password.

Contents:

How DAlbum creates links to images

An image pictures/folder1/test.jpg can be accessed by client browser in two ways:

  • directly - with a simple URL like www.mysite.com/photo/folder1/test.jpg
  • indirectly - with a proxy PHP page as www.mysite.com/photo/photo.php?file=/folder1/test.jpg

This behavior is configured by $g_bDirectAccess variable in config.php.

Indirect links

When $g_bDirectAccess is set to false (default setting), all images are returned indirectly through PHP script photo.php. photo.php verifies that user has appropriate access rights to view the image and, if all is fine, returns it to client browser.

The obvious drawback of this method is that PHP script is executed every time an image is downloaded and security check is performed even if the image is publicly available.

The benefit is flexibility - DAlbum script has control of every image download and may deny access if a certain condition is true. This can be used to prevent direct linking as will be discussed in FAQ.

Another benefit of indirect linking is that images can be stored outside of your web root location. For example, if the web root is /var/www/html, images can be stored in /home/john and be accessible.

Direct links

When $g_bDirectAccess is set to true, all public images are returned with direct links and DAlbum does not get control when an image is downloaded. Private images (which are available only to authenticated users) are still returned with indirect links to enable permission check. However, when Basic HTTP Authentication is enabled, private image paths are also returned as direct links - it's up to Apache to verify access rights in this case.

Direct linking is fast: images are served by web server without calling PHP. Flexibility suffers a little as image files must be kept inside web root. Script also must know how to translate a filename (/photo/folder1/test.jpg) to a URL visible from outside (www.mysite.com/something/photo/filder1/test.jpg). This is achieved by setting $g_sAlbumsRootBrowser variable.

For example, there is a shared hosting and

  • webroot directory is /home/john/public_html
  • default DAlbum installation is in /home/john/public_html/photo
  • $g_AlbumRoot="./pictures"; /* or /home/john/public_html/photo/pictures */

From browser this pictures directory would be accessible as www.mysite.com/users/john/pictures. To let DAlbum correctly translate filename to browser URL, $g_sAlbumsRootBrowser must be set as follows:

$g_sAlbumsRootBrowser="/users/john/pictures";

This way an image /home/users/john/pictures/folder1/test.jpg will be linked as www.mysite.com/users/john/pictures/folder1/test.jpg and successfully displayed in client browser.

Securing DAlbum installation on Apache

When Apache web-server is used, DAlbum installation is relatively secure right after it is unpacked. Access security is achieved via set of .htaccess files.

The main .htaccess file located in the installation directory disables access to files starting with a dot:

Satisfy All

<Files ~ "^\.">
order allow,deny
allow from all
deny from all
</Files>

Files in .private folder contain only files starting with a dot and thus cannot not be accessed. Additional .htaccess in ./config blocks all access to this directory, and files from ./include do not contain any sensitive information nor can be used to hack the script.

The only directory that requires additional protection is ./pictures and its subdirectories. To prevent unauthorized access to private images, DAlbum reindex automatically creates .htaccess in all private folders.

Format of this .htaccess file depends on $g_sPrivateDir directory setting. If $g_sPrivateDir starts with a dot and thus contains a relative path, DAlbum creates a simple .htaccess file that blocks all HTTP access to the folder.

When$g_sPrivateDir contains absolute path, basic HTTP authentication can be used to access the image.

For example, DAlbum samples contain protected album "Tremblant" which can be accessed only by users user and admin.

$g_sPrivateDir is set to absolute path:

$g_sPrivateDir="/var/html/sample/pictures/.private";

A special variable $g_sSiteRootDir may also be required on virtual hosts to specify URL prefix from Apache perspective. In my particular hosting case the setting is:

$g_sSiteRootDir="/home/virtual/site221/fst";

but it will be different on your host, check already existing .htaccess files, Apache logs or contact your ISP to obtain this information. Quite likely your host will be satisfied with the default value which is an empty string.

Generated .htaccess file for "Tremblant" folder looks as follows:

AuthName "Photo Album"
AuthType Basic
AuthUserFile /home/virtual/site221/fst/var/html/dalbum/sample/.private/.htpasswd
Satisfy All

<Limit GET POST>
require user admin user
</Limit>
<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>
<Files .albumdef.ini>
order allow,deny
deny from all
</Files>

In other words, DAlbum .htpasswd file is used for authentication by Apache and access is only granted to admin and user. You may verify it by connecting to http://www.delx.ca/dalbum/sample/pictures/Mountains/Tremblant/_res/res_IMG_2879.JPG . The username/password is user/user or admin/admin.

Basic HTTP authentication

Basic HTTP authentication can only be used if PHP is installed as Apache module on Apache web server. It cannot be used with Microsoft IIS, or if PHP is running as CGI (most ISPs have PHP installed as CGI for security reasons).

In this case there are no Login/Logoff pages any longer and standard browser "Enter password" dialog is used instead:

It speeds up the server considerably: Apache does authentication and permission checks much faster than interpreted PHP script.

Before enabling basic HTTP authentication, specify $g_sPrivateDir as absolute path, reindex and verify on one of your private albums that correct .htaccess files are created.

Then edit config.php and set:

$g_bDirectAccess=true;
...
$g_bHTTPAuth=true;

Basic HTTP authentication and PHP CGI

If all images in your album are password protected, basic HTTP authentication can be used even with PHP in CGI mode.

In order to use it follow instructions in Basic HTTP authentication and create the following .htaccess file in DAlbum root directory:

AuthName "Photo Album"
AuthType Basic
AuthUserFile /var/html/dalbum/sample/.private/.htpasswd
Satisfy All
require valid-user

<Files ~ "^\.">
order allow,deny
allow from all
deny from all
</Files>

First four lines should be taken from .htaccess files inside ./pictures directory. It is very important that AuthName and AuthUserFile are identical in all .htaccess files. AuthName for .htaccess DAlbum creates is configured in $g_sAuthName variable in config.php.

Note that username/password will be required at all times to access pictures and no anonymous access is allowed.

Securing DAlbum on Microsoft IIS

As MicrosoftIIS ignores all .htaccess files supplied with DAlbum, you need to secure your installation manually. Go to Properties of the following DAlbum subdirectories:

  • ./private
  • ./config
  • ./include
  • ./pictures

and disable Read, Write and Directory browsing:

As DAlbum cannot change access control rights to directories with .htaccess files and cannot share .htpasswd file with IIS, it is best to keep direct access to images switched off in config.php (these are default settings):

$g_bDirectAccess=false;
...
$g_bHTTPAuth=false;