Rails: Obfuscating Image URLs on Amazon S3? (security concern)

Posted by neezer on Stack Overflow See other posts from Stack Overflow or by neezer
Published on 2010-02-12T07:17:34Z Indexed on 2011/01/02 3:54 UTC
Read the original article Hit count: 194

Filed under:
|
|

To make a long explanation short, suffice it to say that my Rails app allows users to upload images to the app that they will want to keep in the app (meaning, no hotlinking).

So I'm trying to come up with a way to obfuscate the image URLs so that the address of the image depends on whether or not that user is logged in to the site, so if anyone tried hotlinking to the image, they would get a 401 access denied error.

I was thinking that if I could route the request through a controller, I could re-use a lot of the authorization I've already built into my app, but I'm stuck there.

What I'd like is for my images to be accessible through a URL to one of my controllers, like:

http://railsapp.com/images/obfuscated?member_id=1234&pic_id=7890

If the user where to right-click on the image displayed on the website and select "Copy Address", then past it in, it would be the SAME url (as in, wouldn't betray where the image is actually hosted).

The actual image would be living on a URL like this:

http://s3.amazonaws.com/s3username/assets/member_id/pic_id.extension

Is this possible to accomplish? Perhaps using Rails' render method? Or something else? I know it's possible for PHP to return the correct headers to make the browser think it's an image, but I don't know how to do this in Rails...

UPDATE: I want all users of the app to be able to view the images if and ONLY if they are currently logged on to the site. If the user does not have a currently active session on the site, accessing the images directly should yield a generic image, or an error message.

© Stack Overflow or respective owner

Related posts about ruby-on-rails

Related posts about security