http_referrer in embedded images?

tsilihin

I'm writing a global authentication system for a website (online journals and travel directory) and part of this requires that some images may not be accessed directly via a typed url.

The images themselves are stored in a database, and called from a script.

My question is:

If an image is embedded in an html file, does the url of the html file qualify as the referer when the image is called from it, or are referers only applicable to accesses via a link?

Thanks

rapbhan

Can u put me in more detail please ?

tsilihin

Okay - for example:

The php-builder logo at the top-left of this page - since this image is being called from this page, does this page qualify as the referer for the image?

coditoergosum

No, this page isn't going to be the HTTP_REFERER for the image. I think what you need to understand is, each item doesn't have it's own HTTP_REFERER, it's global. If I click a link that goes to phpbuilder.com, the HTTP_REFERER is going to be whatever page that link was on... and it's going to be the same for the entire request.

As far as your problem goes, it's tough to actually secure images that you want some people to get, but not others. You could always disable directory listing on the dir the images are stored in... that way a person would have to know the exact url to the file in order to get it, which I would think would be secure enough. If you need even more security for some reason, the only other way to do it would be to make PHP send the image to the browser... rather than just have php send a link to the file. You have to have a recent version of the GD image library in order to do this. This is complicated, and will put more demand on your webserver though.

tsilihin

I have set up this example to show that if an iframe is called within a document, the http_referer for the source script of the iframe will be the parent document, just as if it had been called instead from a link.

My question is basically: If a script embedded in an iframe sees the parent as the http_referer, could it be the same for an embedded image?

Regarding authentication etc - I have actually implemented a script to generate and display the image from binary data contained in the database, and that script references and executes an authentication class before it goes any further.

You don't need to use GD if you have the file accurately stored in the database (ie if you use the columns file_size,file_type,file_name,bin_data). You simply use some code like this in the script (uses ADODB):

<?

$conn = &ADONewConnection($db[0]['type']); 
$conn->PConnect(
    $db[0]['host'],
    $db[0]['user'],
    $db[0]['pass'],
    $db[0]['name']
    );

if (!$_GET['id']) {
    die();
    }

$sql = 'SELECT ' .
    'bin_data,' .
    'file_type,' .
    'file_name,' .
    'file_size' .
    ' FROM attachments WHERE ' .
    'id = "' . $_GET['id'] . '"';

$file = $conn->Execute($sql);

header('Content-type: ' . $file->fields[1]);
header('Content-Length: ' . $file->fields[3]); 
header('Content-Disposition: attachment; filename=' . $file->fields[2]);
header("Content-Description: PHP Generated Data");

echo $file->fields[0];

?>

tsilihin

Hrmm....seems I solved my own problem 🙂

I embedded a script that emails me the http_referrer in an image tag. It ended up emailing me the url of the parent, so I guess I can safely assume embedded remote elements have their own http_referer.

Thanks for the help anyway