Disclaimer

Note: this password scheme is not 100% secure! It's probably not even 90% secure. Anyone who really wants to can get around this protection by examining the source of the page they are viewing and going to image URLs directly. This functionality should not be relied on for real security.

Password Protection

It is sometimes desirable to protect folders from being viewed by the public. This can be done by assigning usernames and passwords for access control to particular folders.

To do so, add lines like this one to config.php:

    $protect['./Pictures_of_me']['joe'] = 'IBDXWbkBirMfU';

The part in the first set of brackets is the directory. The second set of brackets contains the username. The part in quotes at the end is the password, in unix crypt() format. (Note: either single quotes or double quotes are fine, unless there is a $ character in the password string. If there is, you must use single quotes.)

The directory name is the value of currDir as seen in any URL when you go to that folder. Some examples might be:

    ./Pictures_of_me
    ./People/Stephanie
    ./Trips/Europe

The password protection includes subfolders - so if there is a folder Trips/Europe, and it contains many subfolders, they will also have the same password protection properties (in other words, password properties are inherited).

Note that if there is a defined password policy for Trips/Europe/Belgium, it will override Trips or Trips/Europe. The rule is simple - the most specific definition wins. Or, one could say the longest folder name wins.

A more complete example might be something like this:

    $protect['./People/Stephanie']['dan']      = 'NI6kjeu0Bu5OA';
    $protect['./People/Stephanie']['kate']     = 'BSkfNxImwPHeQ';
    $protect['./People/Stephanie']['mom']      = 'IGSQpYrjm0znM';

    $protect['./Trips/Europe/Belgium']['joe']  = 'NLmqM5pt3s6Xc';
    $protect['./Trips/Europe']['fig']          = 'RRElq4KBFcLhk';

It is important to use only the currDir string as seen in the browser's URL bar. Do not add a trailing slash, and do not omit any characters at the end. Do not omit the leading ./ either.

So if the browser shows currDir=./People/Stephanie, use ./People/Stephanie and not People/Stephanie or ./People/Stephanie/.

Crypt Format

But wait! How do I generate unix crypt() format passwords?

Easily done with PHP:

    <?php
        $pass = 'somepassword';
        $salt = 'Ai';
        print crypt($pass, $salt);
    ?>

The salt is any two-character combination - it is used to seed the random generation process, so to speak. Any two characters are good enough (but ":" (colon) can't be used in a salt string).

It's equally easy in Perl:

    perl -e 'print crypt("password","xy"),"\n";'

Where password should be the password to encrypt, and xy is the two-character salt (any two characters beside a colon (":") will do).

How Do I Protect the Main Level ('currDir=.') ?

Set up an .htaccess file in Apache, or the equivalent mechanism for other servers (see web server documentation for specifics).

Or it can be done with Mig's password scheme (less securely):

    $protect['.']['kate'] = 'BSkfNxImwPHeQ';