php - Is it possible to reliably know where an HTTP request originated without scripting? - Stack Overflow

admin管理员组

文章数量:1410712

I've been tasked with serving up an image file from our server that is referenced in an html document residing on a number of other servers. To wit:

file on foo:
<img src='.jpg'>

When a user goes to foo, it displays the image from our server, bar. (It actually sends a different image based on what website made the request.)

But here's the catch: they only want visitors of specific panies to be able to retrieve the file (currently identified by the server's domain name, but that's not a requirement).

In a perfect world, you'd just look at the HTTP_REFERER and if it's on the approved list, serve up the file. But as everyone knows, not every user agent supplies the HTTP_REFERER, and it can be spoofed anyway.

It would be better to not have to run javascript or php, but is what we're after even possible without scripting?

If not, is there a way to do this using only javascript in such a way that another website can't spoof their way into downloading the file?

If there's not, how would you approach it using PHP?

I've been tasked with serving up an image file from our server that is referenced in an html document residing on a number of other servers. To wit:

file on foo.:
<img src='http://bar./image.jpg'>

When a user goes to foo., it displays the image from our server, bar.. (It actually sends a different image based on what website made the request.)

But here's the catch: they only want visitors of specific panies to be able to retrieve the file (currently identified by the server's domain name, but that's not a requirement).

In a perfect world, you'd just look at the HTTP_REFERER and if it's on the approved list, serve up the file. But as everyone knows, not every user agent supplies the HTTP_REFERER, and it can be spoofed anyway.

It would be better to not have to run javascript or php, but is what we're after even possible without scripting?

If not, is there a way to do this using only javascript in such a way that another website can't spoof their way into downloading the file?

If there's not, how would you approach it using PHP?

• php
• javascript
• http
• http-headers
• http-referer

Share Improve this question Follow edited Aug 8, 2011 at 2:05 pbarney asked Aug 8, 2011 at 1:48 pbarneypbarney 2,89344 gold badges3939 silver badges5353 bronze badges 3

• You're talking about a website downloading a file? Files are downloaded by clients in browsers, not by websites. Each HTTP request, whether it's for a page, a script, an image, etc., is a separate request, ing from the user's browser, not the website that they're browsing. – Joe Enos Commented Aug 8, 2011 at 1:54
• Well server-to-server downloads are still possible. But it kinda sounds the OP just wants to ask "what's a good way to authenticate downloads" anyway – Evert Commented Aug 8, 2011 at 2:00
• Yeah, I get that the user agents do the downloading, and they're ultimately the problem in that they can't be trusted with HTTP_REFERER. I don't want authenticated downloads; I want any public user of a "white listed" server to be able to view the image, but no other servers. – pbarney Commented Aug 8, 2011 at 2:03

Add a ment  | 

2 Answers 2

Sorted by: Reset to default 5

In short, no. The only reliable information you have is the IP address that requested the image, but even that may be a proxy. There's no reliable way to figure out what context an image was requested in (i.e. which HTML page the image is embedded in).

What you want is to allow only certain people to access the image. There are two ways to do that:

• filter by requesting IP address if that is known
• require an authenticated session/cookie/Authorization header, i.e. password protect the image

If your webserver supports either of these checks (virtually any server can filter requests by IP), there's no need for scripting. For password authentication you may have to use scripting, depending on how exactly it should work.

(Client-side) Javascript won't be of any use here at all.

Do you have any influence over the approved panies' web apps? If so, I can think of two ways you can acplish this.

Using your foo/bar examples, where bar. is your server, and foo. is one of your approved panies:

1) Instead of the browser making a request to your server, have them make a request to an image handler on foo., which in turn makes a HTTP request to your server behind the scenes and returns the image contents back to the client. Foo's outgoing IP address would be on a white-list on your server, so all requests are actually ing from Foo's IP address. The client would see:

<img src="http://foo./imagehandler.php" />

2) Much more difficult, but if Foo cannot make the request to your servers, Foo can put a special hash in the query string of the image tag so that when the browser makes a request to your server, you'll know that the URL was built by Foo. You'll need a private key on Foo's server so that it can calculate the hash.

I'd guess the hash would be calculated based on a bination of the brower's IP address, current date/time, and the private key.

So the browser would make a request to foo./default.php, and Foo would build the following image tag for the browser:

<img src="http://bar./imagehandler.php?hash=393923A423B423F234C34" />

where that number represents the appropriate hash. In Bar's image handler code, you'll need to re-calculate that hash based on the private key which is only known to Foo and Bar, the IP address which is part of the GET request, and the current date/time. If the hash matches, then you can be pretty sure that the browser is looking at foo.'s website, and you can return the image contents.

本文标签： phpIs it possible to reliably know where an HTTP request originated without scriptingStack Overflow