tom_rosenback wrote:

Me to see this as a security issue. One way to solve this is to move the physical image storage outside the www directory. This way no one without access to the album will have access to the file even if they have the direct link, all access will go then through the database. I don´t know if this is possible but it would solve the access issue.

regards,
Tom

For those that regard security as an important issue, try this as an alternative:

I have set up a test album which has 2 levels of protection - either one or both can be used depending on requirements.

Go here
http://remotetutorials.com/photos

You will find you cannot see the home page, instead you are presented with a login request.

This is the first level of protection which prevents access to ANYWHERE in the Piwigo installation.

To get in use the following
e-mail address: piwigo@domain.com
password: letmein

You will now be directed to the gallery home page.
On the left at the top is a Link block called 'Login Protected Area'. The second link in the block called 'Log out of site access' will log you out of the site when you are finished.

When you get in to the gallery you will see 3 albums

Locked - this is an album with the second level of protection
File Uploader - a test of a plugin for files
Locked2 - an unprotected album

You will notice the missing thumbnail for the 'Locked' album. This is because the folder where the thumbnails and re-sized images are stored is 'protected' using the second level of protection.
Click the album name and this takes you to the album where once again the thumbnail is missing. Click the file name shown where the thumbnail should be and you will will be taken to the image page which is also void of an image and only shows the name (plus the purchase option to buy using the paypal plugin).

At this stage go back to the album page and click the link on the left at the top called 'Login for Protected Albums' - this will open a login page in a separate window where you can login using
username: piwigo
password: letmein

The login will open your member page - leave this open and go back to the album window and now you will be able to browse the album and see all the available image sizes.

To logout of the 'protected' album access, go to the 'member' window and log out.

As I said earlier, either one or both of these protection methods can be used separately or together.

Feel free to test them to find any loopholes in the protection, and if you find any please let me know.

I am no coder, but I am sure that this facility could be coded as a 'plugin' for Piwigo - any coders interested in having a go??

Last edited by pewe (2013-01-26 16:14:53)

Can you give an example of your link structure and your server directory structure.

Last edited by pewe (2013-01-28 00:45:13)

Sorry for the delay in answering - I had to test it out and it does work with subdomains.

My installation of PHPmembers is on www.remotetutorials.com and I have set up a subdomain at piwigo.remotetutorials.com, which I can protect using the PHPmembers on the main domain.

Apparently PHPmemebrs will work OK with sub-domains, but not with cross domains where the domain is not the same name - a cookies issue.

True.
If you put it in the 'piwigo' sub domain you have no access.

The structure you need is
http://phpmembers.mydomain.tld with your phpmembers installation. In this set up a 'protected folder' at  /webspace/piwigo.

That should do it.

Thank you for the feedback flop.

Obviously PHPMember is not a top security package as it is free, but I think it could be very useful as a deterrent for most Piwigo users who want to make their installations harder to view for non authorised visitors.

I can't imagine to many people would be passing on cookie details to others to break in to a site -although one never knows.

Just as a matter of interest, if someone was given the details from a cookie, how would they fake it in their browser such as firefox?
I don't know how to do it (never had a need to do it) and a brief search has not yet given me any positive answers.

Hello all, first post so be gentle :)
I am currently uploading your gallery to my site, so havent really had chnace to try your gallery yet, but

you could try this .htacess file in the root of your albums.
I am assuming that all your albums are in public_html\piwigo\galleries
so you could have
\galleries\album1
\galleries\album2

and your large images are stored in these folders, below the /galleries folder.

----------------
RewriteEngine On
RewriteCond %{HTTP_REFERER} !galleries/index\.php\?level=\w+&id=\d+$ [NC]
RewriteRule /large/.+\.jpg$ http://YOURWEBSITE.co.uk/index.html [L]
---------------

You will need to change the url of YOURWEBSITE.

what this does .....

lets say you have an image in folder1 called image123.jpg and you also have an image in folder2 called image456.jpg

if the visitor gets the full url from your website to the large image at:
www.myco.uk/piwigo/galleries/folder1/image123.jpg

they then copy the url, and paste it into an email (or whatever) to a friend.
if the friend then opens that url, the script will redirect them to your homepage.

this script will protect in the same way, any image in any folder under the /galleries folder.

Last edited by gwp (2013-04-28 14:34:00)

Hi,

I just learned that piwigo supports http authentication - just use 

$conf['apache_authentication'] = true;

in your config.

Please read on here:

http://piwigo.org/forum/viewtopic.php?p … 02#p145502

Have a nice day,
John