ATutor

Learning Management Tools


  1. Home



Pages:1 2 3 4 5 6 7 8 9 10 11 12 13 14 15


htaccess deeplink protection



  • 2008-12-04 11:11:17

    htaccess deeplink protection

    Hi,

    I've been using flashfiles in a separate directory:
    eg: www.mydomaine.nl/atutor/flash/flashexample.swf
    I use them in the lesson-html

    How do I protect this flashexample.swf against deeplinking.
    I fount this code:
    <!-- quoting:

    Options +SymLinksIfOwnerMatch
    RewriteEngine on
    RewriteCond %{HTTP_REFERER} !^601br> RewriteCond %{HTTP_REFERER} !^http://(.*.)mydomain.nl(/)?.*0NC]
    RewriteRule .*.(wmv|asx|jpg|gif|jpeg|swf)://localhost/ [R,NC]

    unquote -->

    I have to upload it with the name .htaccess into the atutor directory, but here is already a file by that name?

    can you please help me

    regards and thanks
    Patrick


  • 2008-12-04 12:01:59

    Re: htaccess deeplink protection

    Hi, copy and paste
    RewriteCond %{HTTP_REFERER} !^601br> RewriteCond %{HTTP_REFERER} !^http://(.*.)mydomain.nl(/)?.*0NC]
    RewriteRule .*.(wmv|asx|jpg|gif|jpeg|swf)://localhost/ [R,NC]

    Above #Forum rules


  • 2008-12-05 10:25:08

    Re: htaccess deeplink protection

    Hi HArris,
    Thanx for quick reply

    but...
    for testing on localhost?
    <!--....!^http://(.*.)mydomain.nl(/)?.*0NC]... -->
    what would be filled in bij "mydomain.nl"?

    --"localhost"
    -- 192.168.0.10 (ip-adress of the machine)
    -- xxxxxxx/atutor

    the adress of the atutorfolder is localhost/atutor
    the IP of localhost is 192.168.0.10.

    Do I have to restart the apache-server after the change?

    greetings Patrick


  • 2008-12-05 10:34:15

    Re: htaccess deeplink protection

    I think you should use 'localhost'; if it doesn't, you will have to use your DNS (ie. www.atutor.ca).

    Note, 192.168.0.10 is not your exact machine IP, it is just your private network IP.


  • 2008-12-05 11:14:36

    Re: htaccess deeplink protection

    Hi Harris
    I understand it's my private network IP
    because I'm testing atutor before live-use on a local machine

    As I mentioned its possible to access(view) subfolders without being logged in in atutor

    eg. http://www.atutor.ca/atutor/demo162/jscripts/help.js (it's a demo of the atutor-site)

    but for users who are familiar with the atutor-folder-structure it is possible to deeplink to pictures of an existing atutor-used-site or view a lot of folders?
    How can I prevent this?

    As mentioned above I want to secure all folders of Atutor so external acces/view without being logged -on is impossible.

    I want to create a folder eg: Flashfiles containing flasfiles.swf wich appear in a pop-up, used in a course, I also want to prevent use by non-students, (even when they copied or received flash-url from a student)
    So I want to prevent deeplinking to these flashfiles.

    (firefox 3.xxx always shows locationbars at popup-screens even when javascript "location=no" in the popup-script is used so url-location is visible. It's a safety-measure preventing phishing , I read)

    So the quaetion is how do I prevent access/viewing from non-logged-in visitors to all the atutor-folders, exepted to the login-screen, and deeplinking to images I use (not uploaded by image-manager) and other files I use in selfcreated folders in the atutor-folder/directory.

    Using an other localmachine IN my local network, accessing my local network and browsing to 192,168,0,10/atutor/flash/flashfile.swf , I can view the mentioned flashfiles without being logged-in? Even when I test it off-line (localmachine) of Live (eg: www.myatutor.nl) It won't make a difference...I guess?

    So Do I need to use some index.html (..redirect scripts) or adjusting or adding the htacces-file?

    thanks in advance

    lots of regard
    Patrick


  • 2008-12-05 12:08:43

    Re: htaccess deeplink protection

    Hi Patrick,

    Unfortunately, if you have created your own folder inside ATutor/, ATutor's code will not prevent people from accessing to it. We handled deeplinking by storing all our media files inside the content/ folder, and uses get.php to fetch the files from it. get.php will authenticate against the user's id when it fetches the media.

    Here are a few suggestions for you to prevent users from accessing your custom folder (ie. ATutor/flashfile/*)

    1. Make a .htaccess file inside that folder and redirects all medias back to the login page. This .htacess file is similar to the one you you have posted above.
    2. Move the folder you don't want the users to get to above the www/ directory, so then the web users cannot access to it directly. Then, create your own get.php file similar to the one we had, for instance, get_flash.php, and uses this script to fetch all your flash files inside the course. (ie. <a href="get_flash.php?file=flashfile.swf"..>) In this case, even if FF3 shows your link as http ://yourhost/ATutor/get_flash.php?file=flashfile.swf, the user will not be able to go direction to your file because your script will stop before logging in.

    Hope this helps.


    cheers,
    Harris


  • 2008-12-05 12:15:00

    Re: htaccess deeplink protection

    I'm not exactly clear on the purpose of the flash file, but why not upload it as course content using the course file manager, then inserting the file from the file manager into an ATutor content page.

    If your ATutor content/ directory is outside the web root directory, the only way to access the file would be through the content page it is embedded in, assuming the course is either protected or private.


  • 2008-12-05 12:34:06

    Re: htaccess deeplink protection

    Hi Harris and Greg,
    Thankx for your reply,
    I will try-out your advise next week,
    ...why not upload it as course content using the course file manager.....
    I've had a "size-problem" even adjusting file-size settings in the course-admin-page, uploading did not work so I create an own flash-folder.

    I'm gonna try it after the weekend
    thanx for the quick reply.

    Patrick


  • 2008-12-05 12:42:13

    Re: htaccess deeplink protection

    If size is a problem, then you either need to reset course size limits as the ATutor administrator. or set upload and post limits for the server in the system's php.ini file.


  • 2008-12-09 06:54:57

    Re: htaccess deeplink protection

    Hi Greg & Harris,

    The size isn't a problem anymore, I had to reinstall Atutor, because adjusting size-limitation in ../atutor/admin/config-edit.php did not work.
    After fresh installation of a new Atutor it works.

    Now I can upload a flashfile with use of filemanager inside the course-content-edit-page (.../atutor/editor/content-edit.php?cid=13)


    realized situation 1:
    Using this flashfile in the page (imported with filemanager) is working. The page is secured against deeplinking, so without logging in(to atutor) it's impossible to view this content, so far no explanation needed for me.

    Wished situation 2:
    However I want to use pop-ups in the course-content.
    So users(students) can choose between eg.2 different sizes of flashfiles(screen-size-resolutions) when they use small screen of big screen, by clicking a button eg. size 800x600 of a button 1024x768

    realized situation 3:
    I can use pop-up script which refers to another html-page [u]outside[/u] the "secured-atutor-area" which contains the flashfile(s) [b]but it can be viewed without logging in to atutor[/b], also deeplink-abuse.

    realized situation 4:
    I try to use pop-up script which refers to another html-page [u]outside[/u] the "secured-atutor-area"
    with the "<object>-tag" which is used in the generated html-code of the page wich is generated in realized situation 1(by using "view page-source in FF)
    It doesn't work I will get the right pop-up without a flasfile playing but only showing a link "..../flasfile.swf which is not working.

    realized situation 4:
    I try to use pop-up script which refers to another html-page [u]outside[/u] the "secured-atutor-area"
    with the "page-url of the flashfile-html-page I created inside the course) eg. .../atutor/content.php?cid=13.
    The pop-up is working but redirecting to the loginpage of atutor (.../atutor/login.php)
    so now the user need to login -AGAIN to acces a page which contains an atutor-message "page cannot be found"
    (eg. .../atutor/content.php?cid=13)

    I would be verry greatfull if you can help me (again)

    thanks in advance

    regards Patrick


  • 2008-12-09 07:00:13

    Re: htaccess deeplink protection

    correction of previous posting:

    realized situation 4:
    I try to use pop-up script which refers to another html-page outside the "secured-atutor-area"
    with the "page-url of the flashfile-html-page I created inside the course) eg. .../atutor/content.php?cid=13.
    The pop-up is working but redirecting to the loginpage of atutor (.../atutor/login.php)
    so now the user need to login -AGAIN to acces a page which contains an atutor-message "page cannot be found"
    (eg. .../atutor/content.php?cid=13)

    correction=
    I try to use pop-up script which refers to another html-page [u][b]INSIDE[/b][/u] the "secured-atutor-area"


  • 2008-12-09 07:38:08

    Re: htaccess deeplink protection

    I think this "problem" is solved by using a
    .htaccess -file used in a created folder ../atutor/content/(self-created)flashfiles.

    I used a few .htaccess-scripts as mentioned in postings-above but they did not protect the files
    bij entering the url: 192.168.0.10/atutor/content/flashfiles/xxx.swf
    (perhaps using a XAMPP-server on Ubuntu-machine (intranet) for testing-purpose and aproaching it by a internal other machine by using the url: 192.168.0.10 (ip of the XAMPP-server) is the wrong way to test??
    I read something about htaccess & blank-referral??
    Honestly .htacces is new to me.


  • 2008-12-09 08:26:31

    Re: htaccess deeplink protection

    The support we can offer here needs to be ATutor related. If you need to create an htaccess file to hide a file that's not part of ATutor, that's something you need to be able to figure out on your own.


    To start, see the apache documentation on htaccess.
    http://httpd.apache.org/docs/1.3/howto/htaccess.html


    When we're not busy, we might be able to help with these types of things, but right now we have more work than we can handle.


  • 2008-12-09 09:07:44

    Re: htaccess deeplink protection

    Hi Greg,

    I sorted it out.

    probably using a XAMPP server for testing-purpose in a local network (intranet) is causing a problem.

    Securing a folder on a live-website is working with .htaccess.

    So I think the problems will be in the XAMPP-settings (locally)

    Thanks you and Harris for the advice and help

    found a great .htaccess-generator:
    http://www.htmlbasix.com/disablehotlinking.shtml


  • 2009-02-18 18:35:18

    Re: htaccess deeplink protection

    Hi, I have affiliate popups, and my option of setting the cookie for the popups, as in - hours to cookie each popup will pop up a different cookie each page that is viewed.
    And i Choosed how long to set the cookie for each popup

    popup code is a full javascript with the 'read cookie' bit already in it, look for a line or lines like the following:

    document.write('<SCRI'+'PT LANGUAGE="JavaScript1.1" ');
    document.write(' SRC="http://www.popupcompany.com/popup.cgi?id=xxx&affid=xxx">');
    document.write('</SCR'+'IPT>');

    I extracted code from htmlbasix.com/cookiedpopup.shtml.

    But, it is working fine in firefox, and in IE its not working. What are all the changes i have to make in order to make this work in IE browser.

    ------------------------
    With Regards,
    Daniel - Web Designer.
    [url=http://www.southcoastrecovery.com]drug rehab[/url] Center.


  • 2009-02-18 18:38:10

    Re: htaccess deeplink protection

    If you are asking for help, provide lots of detail so problems can be reproduced.

    Things to describe:
    Operating system ATutor is installed on -
    ATutor version -
    Patch #s applied -
    ATutor theme name -
    PHP version -
    MySQL version -
    Webserver & version -
    Copies of error messages -
    Changes to default settings -
    Web browser being used -
    ...and anything else relevant -

    [reply][b]In reply to:[/b]
    It is not even working on Opera browser.
    ------------------------
    With Regards,
    Daniel - Web Designer.
    http://www.southcoastrecovery.com
    [op]forums/view.php?fid=7;pid=15881;page=1#16723[/op][/reply]


  • 2009-02-19 09:57:27

    Re: htaccess deeplink protection

    Let me investigate in this.

    [reply][b]In reply to:[/b]
    Hi, I have affiliate popups, and my option of setting the cookie for the popups, as in - hours to cookie each popup will pop up a different cookie each page that is viewed.
    And i Choosed how long to...
    [op]forums/view.php?fid=7;pid=15881;page=1#16723[/op][/reply]


  • 2009-02-19 10:24:37

    Re: htaccess deeplink protection

    How is this related to ATutor?

    [reply][b]In reply to:[/b]
    Let me investigate in this.
    [op]forums/view.php?fid=7;pid=15881;page=2#16732[/op][/reply]


  • 2009-03-16 06:30:00

    Re: htaccess deeplink protection

    Hi Daniel,

    I have tested a lot with this htaccess, but with IE it gives a lot of problems.
    I read on a lot forums the problem of IE.
    For example IE is not sending a referral when it is opening a flashfile. It is a probel a lot of postings in other forums are about.
    So using htaccess with "blocking blank referrers" is almost always giving a problem for IE.
    Also verry important some firewalls and proxyservers are blokking this referrer. So people behind such firewalls and proxy's (even using FF, Chrome, Safari Opera etc) are in the risk of being blocked for viewing some content. So I have to figure something out with the advise Harris gave:
    Subject: Re: htaccess deeplink protection Quote this post in your reply
    Hi Patrick,

    Unfortunately, if you have created your own folder inside ATutor/, ATutor's code will not prevent people from accessing to it. We handled deeplinking by storing all our media files inside the content/ folder, and uses get.php to fetch the files from it. get.php will authenticate against the user's id when it fetches the media.

    Here are a few suggestions for you to prevent users from accessing your custom folder (ie. ATutor/flashfile/*)

    1. Make a .htaccess file inside that folder and redirects all medias back to the login page. This .htacess file is similar to the one you you have posted above.
    2. Move the folder you don't want the users to get to above the www/ directory, so then the web users cannot access to it directly. Then, create your own get.php file similar to the one we had, for instance, get_flash.php, and uses this script to fetch all your flash files inside the course. (ie. <a href="get_flash.php?file=flashfile.swf"..>) In this case, even if FF3 shows your link as http ://yourhost/ATutor/get_flash.php?file=flashfile.swf, the user will not be able to go direction to your file because your script will stop before logging in.

    Maybe you (already) found some solutions.

    Regards Patrick