Security for a Small Stock Photo Company

ExTex asks: "I am a commercial photographer, and I also run a very small stock photography company. Most of the sales that I make are to existing clients or from referrals. Currently, when I make a sale I upload a ZIP file of the image and create a unique web page for the customer to download. I pull the page shortly after the client has confirmed receipt. This is easy, when I'm in the office, but can be a challenge if I'm out in the field on a shoot. At some point I'd like to be able to have 400 of my best images already pre-zipped and loaded to my web host for quick download. I'm wondering how best to secure the images to prevent unauthorized download but also make it relatively easy for the typical un-savvy client."

.htaccess?

assuming you're using apache, .htaccess should do the trick

Re:.htaccess?

[D'Sphitz]

Or keep them out of the document root. Create a script that will allow you to select images, zip them up, and move them to a temporary directory within document root (and additionally create a .htaccess and .htpasswd file to protect the directory). Give the client the url and login, and have a cron script clean up the temporary files every day or two, or do it manually.

Porn site?

[gambit3]

Not to trivialize or suggest that the poster is a actually planning to run a porn site.. but doesn't this sound very much like just running a basic adult site? i.e., You already have the pics uploaded, and you just need a mechanism to provide access to specific areas. i.e., Porn site.

Re:Porn site?

[gambit3]

Whoa.. thanks for the quick flamebait...

why even bother reading the post? "I am mod, hear me roar!!"

Read the original post:
"At some point I'd like to be able to have 400 of my best images already pre-zipped and loaded to my web host for quick download. I'm wondering how best to secure the images to prevent unauthorized download but also make it relatively easy for the typical un-savvy client."

Isn't that just calling for an adult-website-type solution? That's exactly what adult websites do: they have their posting of their product, be it pictures or videos, and when you buy access to those, you get provided with a username and password, which usually lasts only a few days. Isn't that what the OP is asking for?

But, for the idiots who have their scripts set to mod "Flamebait" if it reads the word "porn" (pornpornpornpornpornpornpornporn!!!!), here's some simple javascript solutions (if you want more security, I would suggest .htaccess):

http://javascript.internet.com/passwords/gatekeepe r.html
http://www.javascript-page.com/passwords/

Re:Porn site?

[duffbeer703]

Do people really write scripts to parse slashdot?

I thought reading this site was a pointless waste of time... writing scripts to customize what you see is a disturbingly excessive waste of time!

Re:Porn site?

[falconwolf]

Not to trivialize or suggest that the poster is a actually planning to run a porn site.. but doesn't this sound very much like just running a basic adult site? i.e., You already have the pics uploaded, and you just need a mechanism to provide access to specific areas. i.e., Porn site.

I hope this is an attempt to be funny. In case it's not, stock photo agencies typically sale individual photos, one two, or more at a tyme. These photos are used for ads, news, and pr amoung other things. And that's what it sounds like this person is asking about. This makes running a stock photo website different than porn websites which sell subscriptions. I've thought of doing the same thing. Though I've photographed weddings and was my unit's photographer while I was in the army I've never been paid for it but I'd like to make some money from photography. Actually I'm hoping to be able to pay some of my expenses if and when I go to Brazil in a few years by selling photographs. If and when I do setup a website for selling my photos I plan selling individual photos not access to all the photos at once. And they aren't porn, I shoot mostly outdoors, nature, water, and cultural scenes.

Falcon

OS commerce shopping cart

[enrico_suave]

you can do this with OS Commerce open source online shopping cart.

You can create protected digital download store "items" and determine how many times they are able to download a give stock photo or whether it expires after a given amount of time.

Add credit card processing and you have a reasonably fully automated system.

e.

Re:OS commerce shopping cart

[D'Sphitz]

Except OsCommerce really sucks balls.

Re:OS commerce shopping cart

[enrico_suave]

Well that's certainly constructive.... well creating a script to copy stuff back and forth from below the document root and back sucks balls too. Neeener neener!

Re:OS commerce shopping cart

[D'Sphitz]

maybe, maybe not. but oscommerce really does suck. Unfortunately, through references i've become the "Go To" man for any and all OsCommerce projects for way too many clients, for hacks, fixes, modifications and shit like that. I don't like this, I don't want it, and i'm sorry I know the code so well. Yeah, the scripts may work, but the code is such a jumbled cluster fuck that you can't tell heads from tails. To add to the enjoyment, nearly all of the code is duplicated in the /admin/ folder so you get to double up all of your edits. Apparently, there wasn't any reasonable way available to share code between directories. So yeah, neener neener.

Re:OS commerce shopping cart

[larry+bagina]

I agree. It's a complete mess. I use it to run a 4000 item store. I do almost all the administration via perl scripts and completely new (from scratch) php scripts (using PEAR::DB, not their horrible sql classes). It wasn't worth my time to try to fix the major deficiencies in the existing admin tools.

Looking for an off the shelf solution?

[ip_vjl]

Are you looking for an off the shelf solution for this?

Because this kind of thing would be pretty easy with any scripting language (PHP, Perl, ColdFusion, .NET, what have you).

Just issue a 'ticket' (token in URL) to the client when they purchase. That token can be stored on the site to allow access for a certain amount of time. You could also throttle it so that too many attempts on the same ticket trigger a lockout until you've had a chance to review it.

Otherwise, send them the URL (with the token) and give them 24 (or whatever) hours to download the file. (If they try to download more than X times before the ticket expires - lock it out until you've made sure it isn't that they've given the ticket out to 10,000 of their friends).

Use an order-specific symlink

[akh]

Unix-specific solution:

• Place the zipfiles into a directory readable by the webserver but not accessable over HTTP. Call it something like /webroot/private
• Create a second directory, writable by your shopping cart script and HTTP-accessable. Call it something like /webroot/orders
• When a customer places and order, have the script create a symbolic link from the private directory to an order-specific filename in the public directory (an MD5 sum of e.g. the time + process id might make an appropriate filename)
• Provide a link to the symlinked file in the customer's receipt

For example:

In the script:
ln -s /webroot/private/CONTENT.zip /wehroot/orders/RANDOM_FILENAME.zip

In the receipt:
<a href="http://example.com/orders/RANDOM_FILENAME.zi p">Click here to download</a>

(Thank you slashcode for clobbering that code - get rid of the space in 'zip' and the '[example.com]' string, above)

This isn't foolproof since customers can still pass the URL on to others. If they do though, you'll know who did it based on the order-specific filename.

Reply from Original Poster re: off the shelf

[ExTex]

Right now the sales volume is pretty low. Maybe five transactions per month. I'll get an order and upload the file to a site that is separate from my main photography portfolio site. The compressed .sit or .zip file generally weighs in at about 20 MB and can be uploaded via my consumer grade DSL connection via Mac FTP (Fetch) within about 8 to 10 minutes. Once it has been uploaded, I test the link from a browser and e-mail the buyer a link that would look something like this: www.mystocksite.com/Jones.sit The buyer, Ms. or Mr. Jones would then download using any browser. Usually the next day I'll pull the file. The issue that I'm now having is that I spend quite a bit of time in the field and can't quickly or easily pull the file, compress it, upload it, test it, and then notify the buyer that it's now ready. Last month I had three sales that took place while I was out of town and I had to work from a wifi spot as well as my hotel room to close the sales. I'm not looking for a turnkey ecommerce set up since I'm always paid by check adn I really don't want to get involved with a merchant credit card system or PayPal. Right now it's a pretty secure system because of the unique file name scheme that I'm using that is specific to the buyer. Not to mention the fact that the files are removed pretty quickly. This won't work for 400 files that require a consistent naming scheme. Another option is that the stuffed or zipped file can be password protected upon creation. I'm concerned that individual passwords might be too hard to remotely manage (remember) but a global password might be too insecure. Other things about my set-up: -I'm a Mac operation and have no Linux experience. -I have 10 GB storage from my web host.

Re:Reply from Original Poster re: off the shelf

[mugnyte]

  There is simple technology to begin your process by having you just put the file in a directory. It would:

  - Be informed when the file was dropped, and upon such event, compress w/pw, rename, and copy to newly-created customer-specific (web facing) dir. Then archive to another machine/dir

  - Passwords, like the dir names, should be something reflective of the customer, but not difficult to remember nor easy to discern. Perhaps their last name and last x digits of their [phone/zip code/ssn/creditcard] + some transaction number.

  - Login screen compares passwords, redirects to preview/download panel, where all photos are there "checkbox & go"-style download. Download access is logged by the web server.

  - This same program can check the file exposure times until either a deadline or a logfile says it's been downloaded x times. Then delete from the directory.

  - If your customer calls and says they need to download again, or restart the process, you can send email to a dedicated address, which can be picked up by the program to pull from archive and re-publish.

  - Having this amount of infrastructure would get you ready for a paypal integration, where the shopping cart was filled by the checkboxes, then the paypal rediection after purchase takes them to a family of zips to download. But you're right, don't do this until your clients prefer it to dealing direct.

- Given you're on a Mac, it wouldn't make too much difference. However, your host may prefer you run these automation programs from your own server. This would ftp the files up once you dropped the images locally. Anyway, minor concern.

Most of this could be accomplished with maybe 2 or 3 full days of programming by an experienced person, or maybe a week of nights to get all the pieces in place/kinks worked out.

mug

Re:Reply from Original Poster re: off the shelf

[ip_vjl]

I'll outline the shell of it here, but you'll have to do the legwork to complete it (or hire someone who can) as it it too detailed to put in a post here.

Since PHP is pretty ubiquitous on webhosts, I'll assume PHP for the scripting.

You could do this with or without a database. I'll outline a path for doing it WITHOUT a db.

1) Make sure all your files have some sort of ID number for the filename (makes life easier).

2) Store *all* your files in a non-web accessible directory
ex. if your webroot is /username/public_html/
store your pics in /username/photos/

this way, they can't be downloaded directly from the browser.

If you can't create a directory above your webroot, then make it inside your webroot, but protect it with .htaccess

3) When a customer makes a purchase, you'll have an admin page that lets you create a 'download ticket' - when you load this page, you supply an email address and an image ID number (see #1) and it generates a 'ticket' that they can use to download the picture. (see 3a-b for details)

3a) Since this isn't Fort Knox, security doesn't need to be super tight, just enough to prevent casual sharing.
I would suggest a ticket be in a format like this.
0000-12345abc-12345678

where '0000' represents the image ID number
12345abc is the 'expiration date' encoded into base 16 (to be shorter)
12345678 - is every 4th digit of the MD5 (to keep it shorter) of the image number / date / and some secret string (that only is known to your web server)

3b) The admin page sends an email to the client using the email you provided.
"You can download your image at:
http://www.example.com/get.php?t=0000-12345abc-123 45678

This link will be functional until xxx-xx-xxxx blah blah blah"

4) You have a page 'get.php' that looks at the $_REQUEST['t'] value and does a comparison.

4a) Split the ticket into its parts ('0000' , '12345abc', '12345678')
4b) Calculate the MD5 of part 1 + part 2 + 'secret string'
4c) Get every 4th char, does it equal part 3? If not, DO NOT DOWNLOAD THE FILE, if so, continue
4d) Check the date, has it expired? If so, DO NOT DOWNLOAD THE FILE, if not DOWNLOAD THE FILE (see fpassthru() in PHP)

--

Notes:

With a database, you can record number of attempts per ticket to make sure someone isn't trying to brute force access by doing an incremental attack on the checksum (part 3) as there are only 4,294,967,296 possible combinations (16^8).

You could also add some sort of logging so that you can see who has attempted to download the file, etc.

You'd also want to make sure you're properly sanitizing the input as (at some point) you'll be translating the input value to a file path, so you need to make sure there are no potential attack vectors for walking the file system (which shouldn't happen if you check your MD5 first, but it would still be possible, especially since you're only using 1/4 of the check digits).

You want to keep the URL as short as possible for downloading so that the ticket doesn't word-wrap in their email. If it breaks, it may not be clickable any more. You'll probably also want instructions so that they can enter the ticket manually on the page, if the link in their email breaks.

Arguably, if someone figured out your secret phrase (the one you use in MD5 generation) they could generate tickets to download any of your files, but the only way they should be able to do that is if they have access to your box - which if they have access to your box they already have access to your files.

--

Re:Reply from Original Poster re: off the shelf

[ibbey]

This is all great info. One thing I'd do a bit different, though. If you add a username/password system, you can simplify the entire delivery system. Instead of emailing a link to the image, your confirmation would link to your login page where your buyer can download any images they have purchased. This is a minor improvement, but it will make the user experience better, particularly if they buy multiple images. This is also a necessary step towards making an actual shopping cart system. Keep in mind that once you've got this much done, alot of the way to a full online shopping system. Add in an online image catalog, a shopping cart & credit card processing, and you've got a complete (if basic) online store.

Re:Reply from Original Poster re: off the shelf

[haystor]

At 20M you could probably just email it to them.

Re:Reply from Original Poster re: off the shelf

[Suppafly]

Now just go to rentacoder and pay some Indian firm about $50 to implement it for you.

Re:Reply from Original Poster re: off the shelf

[topham]

As what, 20 different email messages?

Many ISP's have limits of 1-2 Megabytes per message, and a message encoded for sending via email grows by 33% (giver or take).

Someone here already mentioned the best solution: a program which checks the credentials when the user attempts to download an image. The image is only supplied when the credentials match. The easiest way to implement it is with a fully functional store front, but you could make it simpler than that. (And, if this guy doesn't want credit card processing he could probably come up with a token based system. Users could send him a checque the get tokens and the tokens are consumed when they download an image. ).

There are plenty of good solutions for this, but I am afraid he will have to pay for them and thats why he doesn't want to do them. It's rather short sited in my opinion. If you run a half-assed website for people to purchase products from you then you won't get as many customers as if it looks like a full blown commercial venture. (No, it doesn't have to have a catalog of 20,000 images, etc. just look professional.

this may seem over-trivial but...

[Beowulf_Boy]

.Zip or .Rar supports passworded files, correct?

Just have all of the files up on the site, and when a customer purchases one file, give them the password for it.

Re:this may seem over-trivial but...

And they can be cracked in a matter of hours on any nearly any machine

Re:this may seem over-trivial but...

[ebrandsberg]

While noting that .zip security may be fairly easy to violate, if you create random names, unbrowsable directories (so the client needs to know the name of the file to download it) and password protected files, then it is easy to send ftp links with passwords for each purchase and be guaranteed fair security. As such, this is probably "good enough" for what is needed, and 100% security need not apply, if there is such a thing.

Re:this may seem over-trivial but...

[gothzilla]

Not since the new winzips. Previous versions were easy to crack because they stored the password in each file. All you had to do was look for matching code in each file and you had the pass. The new one is much better. If you use a long enough password you can make it pretty secure. These are pictures anyway, not government secrets.

From Original Poster Re:Porn site?

[ExTex]

Unlike an adult site, the sale of stock photography is generally done one photograph at a time. The customer will purchase specific reproduction rights for a single shot. I don't want to offer access to more than one image at a time. Buyers chose a photo to purchase from my main portfolio site or from a printed portfolio of my work. Once they have committed to the purchase the buyer is directed to the site that holds only images for download. They won't even be able to view or preview the shot from the stock site.

Re:From Original Poster Re:Porn site?

[Thalagyrt]

I'd think you could write up a simple php script that'll use passthru() to send the contents of the file through. You'd have to send a header with the file type first and to specificy download. That way you can auth the user against your purchased database, and only if they've purchased it can they download that image. I'm sure there's software out there that does this already and is integrated into a storefront - A poster further down the thread mentioned OSCommerce, so check that out. It shouldn't be too hard to come up with an in house script to do it, and if done properly that would be far more elegant than OSCommerce.

Re:From Original Poster Re:Porn site?

[ibbey]

I think you're looking at the problem from the wrong direction. Rather then simply looking for a better way of delivering the content, I'd suggest looking at a better way of selling the images. I don't know how you currently market your images, but if you had a shopping cart system to actually sell the images online, you would probably increase your sales.

I'd strongly recommend that you look at the various off-the-shelf shopping cart systems out there. I'm willing to bet that at least one of them gracefully supports delivery of digital content. This will probably be more complicated then just writing a quick PHP script, but in the long run I bet you'll be much happier with the result.

Re:From Original Poster Re:Porn site?

if done properly that would be far more elegant than OSCommerce.

Taking a shit on a piece of bread then eating it would be more elegant than osCommerce. A competent programmer could write something to do what the questioner wants in less time than it would take to test, patch, and modify osCommerce. Plus, it would be maintainable in the future.

Re:From Original Poster Re:Porn site?

[i.r.id10t]

Since you want to do it one pic at a time, it should be relatively easy.

Store image names, prices, and file locations (someplace not served up by your webserver, but accessable by the user your webserver runs as) in a database. Present the user with a "browse" page of thumbnails, each one linked to a "buy" script with the image identifier as a arg. On the buy script page, collect CC info, process it, and either serive the image up and force download/save (if CC can get OK "instantly") or email a unique URL that will ask the customer to confirm some sort of information (last 5 digits of cc number, etc), check to make sure the purchase is valid and hasn't been re-downloaded too many times, then send the file with a forced download/save.

Lots of options, but what do you know?

[JavaRob]

Do you know how to use any kind of scripting language? Even a shell script would make this much easier.

Personally I'd probably store the files pre-zipped in a non-web accessible directory, then write a simple gateway application that limited access, and would feed the file to the client if they qualified for it. This could be backed with a database with actual client info (which you'd need to update when they made a purchase), or it could be as simple as a "passphrase" that you'd give them that is based on the date and the filename, and the script would decode it.

Next level down -- you could write a script that ran every night at 2am, and changed your directory names based on the current date (using a formula which you could duplicate on a calculator, to pass out valid one-day links to clients). (This script would be pretty easy -- if you don't know anyone who'd do this for you as a favor, your web host might help).

OR -- you could actually set up .htaccess-style password protection for your zipped files, with a different username-password for each file. You don't have to remember them -- just print out a reference copy and check the chart when you make a sale, or use a formula that you can calculate based on the filename. This would work pretty well. You could mix in the idea above -- and change the passwords automatically, daily. This would make your chart more complicated... but still chartable.

These are all "security through obscurity" methods -- but honestly as long as you put it together thoughtfully and you don't have a huge risk to worry about, that's okay.

At the very least, I'd advise you to learn the basics of Linux/UNIX command line navigation -- if you have all of your zipped files already on the server in a directory OUTSIDE of your web directory, it's quite trivial and very quick to use telnet to copy one zipped file from your archives to "jones.sit" in your web directory, then delete that later; e.g.,
    [ssh to your host]
    cp archives/people/jumpingman.sit webroot/jones.sit
then the next day:
    rm webroot/jones.sit

Other nice commands to know: ls, cd, and cwd (show directory listing, change directory, and show current working directory).

From what you said, you can probably fit all of your zipped images on the server, right?

trivial

[FooAtWFU]

Stuff image in non-web-accessible directory. Write or find script to serve the image over HTTP from said directory based on parameters in HTTP POST, GET, cookies and/or sessions of some sort. Have script check user's authorization and such credentials, and proceed only if they are valid. Stuff script in script-able directory.

A half-brain-dead code monkey could do this.

Re:trivial

[Intron]

You need a half-brain-dead monkey to code this? In that case, I would recommend Experts Exchange. They have lots.

Photo proofing - 3rd party solution

[spinuser]

There is a solution provided by http://www.proofpod.com/ that might fit your needs. I know that you can use the tool to make images available to your client via authentication for reviewing and purchasing.

One time download

[kinneh]

If you have a ISP that allows perl-cgi:s you could easily install OTP, and build a system where you have the files ready to go.

Good thing

[Gothmolly]

because most code-monkeys ARE half brain-dead.

Lighttpd! It has this feature!!!!

Try lighty its one of the features it has that apache doesn't... its not the only needed feature by many sites that apache is missing there are about a gazallian more... I don't know why it doesn't have apache market share as so many things about it makes it better from lower memory footprint to being able to handle a slashdotting VERY VERY well.

Its under the revised BSD license so its license is better than Apache's.

And before you say it doesn't have .htaccess support... well read why thats a good thing and it has something better than .htaccess support to replace it

Oh yea most of the biggest torrent trackers are using lighty.

If you are uploading from out of the office

[VernonNemitz]

Why do you need to use a Web site, anyway? Why not carry your files around in a Flash device, and upload directly to the client?

Say what?

[chivo243]

booga woooga bzzzzbzzz dooodododododo do you make the kids laugh? Ever see the episode of the Little Rascals when Spanky "has to get his pitchur took" or living in oblivion?

.htaccess is perfect

[Jeff+Pflueger]

I too am a photographer. Here's my website.

I know well the problem that you are talking about.

I use .htaccess. Means the client will need a user/password to access the files. No big deal.

Just a week ago I was working on a Perl script to write the htaccess files automatically so that I could use the Perl based GUI web interface I wrote to upload images for clients to preview/etc. The idea is to upload the images and define a user/password for the clients via the web. Then just give the client the user/password combination and the URL for them to retrieve the image.

COTS

[PhunkySchtuff]

Common, Off The Shelf Solution...

I would look into a digital asset management solution designed for this task.

Oloto or Cumulus will do exactly what you want - plus offer you plenty of room for growth.

When you look at the time and effort involved in rolling something like this yourself, you can save a lot of money by purchasing a pre-rolled solution, plus you then don't need to maintain (or hire people to maintain) it all yourself.

selling stock photos online

[falconwolf]

They won't even be able to view or preview the shot from the stock site.

Why not? What you can do is have reduced quality photos with a watermark online so potential buyuers can see them then once an order is confirmed you can either upload it to a password protected directory, email it to them, or perhaps snailmail/Fedex developed photos and/or cd. Without a preview how will people even know what the photos are, having them on a website can be your porfolio.

Also have you checked out Photo.net? If not maybe you can get more help there. Besides /. Photo.net is one of my fav sites.

Falcon

paranoid enough?

[Cyn]

I'm not posting to any one solution because they all mention this.

If the purchaser is going to share the images with someone else, they're going to. Make it too obviously difficult to do it through the site, and they'll just do it offline. This all depends on how much you trust people and how far you want to go to keep on top of things...

If you want to be smart, and keep on top of things, then you don't want to make it *too* obvious that the link won't continue to work - but you definitely want to tie a unique identifier to it. That way, they can pass the link on to their friends, and you know they're sharing it. Feel free to make it expire - that will prevent said others from actually getting the content - but by leaving that link functional you can actually track who is trying to pass the content around. Make it so after the expiry period, it instead sends a zipfile that has a text file that says "please contact FOO to regain access to these files, they have expired" - that way the link will still "look good". Chances are they won't need to download it but once anyway, but you can always re-enable it for them if they really need it / etc. Heck, make the filename it sends slightly different so they don't accidentally overwrite their old copy - but you want to leave it a .zip so they don't spot that the link is different. Most people will re-test the link before passing it on.

If you make it a login based system, then you're less likely to catch it right off - just make it a simple link they can forward in email. This is all super-paranoid and about catching would-be thieves, hopefully the real world isn't this bad - but that's not my experience.

Protecting these at the distribution level is tricky enough, and it will take time looking over things, but it will at least limit your losses.