In WordPress I want to be able to sell sets of emoticons (png images). These sets emoticons are stored in a folder under the plugin (eg. wp-content/plugins/my-plugin/emoticons/set-1/happy.png)
Some emoticon sets are free, some are not. I want to be able to prevent the user from accessing the emoticons if they did not buy the set. Also, because these emoticons are used when writing text I need the check done as fast as possible.
What I tried so far:
loading the emoticons via a proxy php file in which I do the check for user purchases. This works, but it's awfully slow
using .htaccess inside the emoticons/ folder. With it I do a check like this:
RewriteEngine On
RewriteCond %{HTTP_COOKIE} .*?emoticonset-(.*)=(.*);?
RewriteCond %{SCRIPT_FILENAME}::%1 emoticons/(.*?)/(.*\.png)::\1$
RewriteRule .* - [L]
RewriteRule ^ / [F]
It sorts of works in the sense that it will check if the user has a cookie emoticonset-set-1 and if yes then it serves the png image, otherwise it returns 403 forbidden.
index.php paths.Option 2 is extremely fast, but it can be easily fooled by users manually adding the cookie in the browser.
Are there any other options I should look into? Is there any way to make option 2 secure?
In WordPress I want to be able to sell sets of emoticons (png images). These sets emoticons are stored in a folder under the plugin (eg. wp-content/plugins/my-plugin/emoticons/set-1/happy.png)
Some emoticon sets are free, some are not. I want to be able to prevent the user from accessing the emoticons if they did not buy the set. Also, because these emoticons are used when writing text I need the check done as fast as possible.
What I tried so far:
loading the emoticons via a proxy php file in which I do the check for user purchases. This works, but it's awfully slow
using .htaccess inside the emoticons/ folder. With it I do a check like this:
RewriteEngine On
RewriteCond %{HTTP_COOKIE} .*?emoticonset-(.*)=(.*);?
RewriteCond %{SCRIPT_FILENAME}::%1 emoticons/(.*?)/(.*\.png)::\1$
RewriteRule .* - [L]
RewriteRule ^ / [F]
It sorts of works in the sense that it will check if the user has a cookie emoticonset-set-1 and if yes then it serves the png image, otherwise it returns 403 forbidden.
index.php paths.Option 2 is extremely fast, but it can be easily fooled by users manually adding the cookie in the browser.
Are there any other options I should look into? Is there any way to make option 2 secure?
I found an acceptable solution to my problem. The solution has a few steps:
I used .htaccess to deny direct access to the emoticon files for everybody
I created a simple PHP file in the plugin folder. The PHP file acts as a proxy for the images (I pass it the path to the emoticon via a GET parameter). Since the PHP file does not include the whole WordPress infrastructure the proxy works very fast. I also do a very basic check of a cookie (emoticon_set_name=md5(emoticon_set_name))
In the WordPress plugin I use the init action to set the cookie values according to the emoticon sets that the user bought.
The MD5 encryption can be substituted for any kind of encryption and the cookie value encrypted can be combined with other cookie values to make it more difficult for the user to directly key in the cookie in the browser.