Menu
Community /Pin to ProfileBookmark
@NogDogMar 03.2011 — #Not 100% sure this would work, but it's probably what I would try:
main page:
file-server:
@NogDogMar 03.2011 — #
If you are going to send a file to a client, there is ultimately no way to stop somebody determined enough and knowledgeable enough from capturing it. The best you can hope is to make it difficult enough to stop the less determined/less knowledgeable people. At some point the file will be on the user's computer, so if they know where to look for it, they can copy/move it from that cache location to somewhere more permanent. A little clever use of cURL in a PHP script could capture it, too.@NogDogMar 03.2011 — #My first thought was to add a url query string variable to the last one, and only delete the session/variable tokens if that $_GET element is present. However, I'm not sure there's any guarantee that the client will request them in the order in which they appear in the style block. So what I'm thinking now is to set a separate session variable for each font type, then delete that session variable as it's processed.
PHP Securing Files
I should know how to come up with this solution but I’m having a bit of brain freeze or something tonight.
I’m trying to secure the font files that I’ll be using so I won’t allow people to download them when they view my css. I figured I’d use a php script to serve the font files (stored below the web root) to my CSS file, but how do I do it?
My CSS would be:
[code]
@font-face {
font-family: ‘TradeGothic BoldCond Twenty’;
src: local(‘TradeGothic BoldCond Twenty’),
url(‘http://example.com/fonts/myscript.php?somekey’),
etc etc etc
}
and use a php script to basically do this:
[code=php]
header(‘Content-Type: font/opentype’);
echo file_get_contents(“/path/to/font.ttf”);
But I need a way of securing it so people can’t just type in [url]http://example.com/fonts/myscript.php?somekey
I am pretty sure that there’s not a single superglobal in $_SERVER that I can rely on, like HTTP_REFERER, but I’m at a total loss of how to do it, at least to the best of my ability.
Sign in
to post a comment9 Comments(s) ↴
0
@NogDogMar 03.2011 — #Not 100% sure this would work, but it's probably what I would try:main page:
[code=php]
<?php
session_start();
$token = uniqid();
$_SESSION['token'] = $token;
setcookie('token', $token, 0);
[/code]file-server:
[code=php]
<?php
session_start();
if(!isset($_COOKIE['token']) or !isset($_SESSION['token']) or
$_COOKIE['token'] != $_SESSION['token']) {
header($_SERVER["SERVER_PROTOCOL"]." 404 Not Found");
exit;
}
// so that copying from the HTML source won't work
setcookie('token', '', 1);
unset($_SESSION['token']);
// rest of script...
?>
[/code]0
@NogDogMar 03.2011 — #Thanks NogDog, very interesting indeed.
EDIT: Had an .htaccess thought, wasn't relevant.
So, if the browser can read the font, is there any type of sniffing tool that can capture the request from the web page and download the font?[/QUOTE]
If you are going to send a file to a client, there is ultimately no way to stop somebody determined enough and knowledgeable enough from capturing it. The best you can hope is to make it difficult enough to stop the less determined/less knowledgeable people. At some point the file will be on the user's computer, so if they know where to look for it, they can copy/move it from that cache location to somewhere more permanent. A little clever use of cURL in a PHP script could capture it, too.
0
@NogDogMar 03.2011 — #My first thought was to add a url query string variable to the last one, and only delete the session/variable tokens if that $_GET element is present. However, I'm not sure there's any guarantee that the client will request them in the order in which they appear in the style block. So what I'm thinking now is to set a separate session variable for each font type, then delete that session variable as it's processed.[code=php]
<?php
session_start();
$token = uniqid();
$_SESSION['token'] = array(
'eot' => $token,
'woff' => $token,
'ttf' => $token,
'svg' => $token
);
setcookie('token', $token, 0);
[/code][code=php]
<?php
session_start();
$types = array('eot', 'woff', 'ttf', 'svg');
$fontType = false;
foreach($types as $type) {
if(isset($_GET[$type])) {
$fontType = $type;
break;
}
}
if($fontType == false
or !isset($_COOKIE['token'])
or !isset($_SESSION['token'])
or $_COOKIE['token'] != $_SESSION['token'][$fontType])
{
header($_SERVER["SERVER_PROTOCOL"]." 404 Not Found");
exit;
}
// so that copying from the HTML source won't work
unset($_SESSION['token'][$type]);
// rest of script...
?>
[/code]