Gallery id and photo id link question/ suggestions
mpmcleod
Registered Users Posts: 288 Major grins
Is it normal behavior to be able to see anyone's gallery based on galleryid?
and photos based on photo id?
For example: http://USERNAME.smugmug.com/gallery/NUMBERS
and http://USERNAME.smugmug.com/photos/NUMBERS-O.jpg
It appears that USERNAME is meaningless.
It could be "www" or "bob" or even "USERNAME". If you have the galleryid (NUMBERS) you can get to a gallery regardless of the settings.
Try it with any six digit number (first digit 1, second digit <=7) - you will get someone's gallery unless they have password protected it.
If this is normal could we have it fixed?
The comment about cookies on the email receipents is wrong. There is no cookie required if they have the galleryid.
I suggest one or more of the following:
A) make the username mean something.
1) it would provide a limited level of security in that you would at least have to know the username and so random "attacks" would be eliminated.
2) I realize this would break when people changed their username. This might be exactly what they want if someone is abusing the site
Actually use a "permission" cookie. My suggestion. The link that would be emailed would be to a script that set the cookie on the person's computer which says "You have permission to look at THIS and ONLY THIS gallery" and then redirects them to the gallery. This way only people who had been emailed that special link would be able to see the gallery. This would be the most clean implementation and quite simple to do (depending on how the galleries are currently being served).
C) Use more obfuscation on the gallery id itself. Make it some random combination of letters and numbers. 19asjk3760sghjgaflg97603727hghgsd would be much harder to "hack" and almost impossible to randomly come across compared to a simple 7 digit number. No one would have to type it in so why the sequential numbers? if you need the sequential numbers you could just add the random characters after the sequential numbers.
I don't need high security as these are personal photos. I wasn't too worried about them because I figured outsiders would at least need to know my username before they could start poking around and even then they would need to know a range of numbers to play with.
I would like to avoid having my DL quota hit by people randomly hitting my galleries. I would like to avoid people using a script to find and download all my photos. I don't want my photos indexed by an internet search engine. It appears that all of this can happen unless I place a password on my galleries AND make non-public AND turn off external links. Is this correct? This seems a bit overkill for my application.
Comments? Thoughts?
Am I beating a dead horse?
Is there a FAQ for this?
thanks,
and photos based on photo id?
For example: http://USERNAME.smugmug.com/gallery/NUMBERS
and http://USERNAME.smugmug.com/photos/NUMBERS-O.jpg
It appears that USERNAME is meaningless.
It could be "www" or "bob" or even "USERNAME". If you have the galleryid (NUMBERS) you can get to a gallery regardless of the settings.
Try it with any six digit number (first digit 1, second digit <=7) - you will get someone's gallery unless they have password protected it.
If this is normal could we have it fixed?
The comment about cookies on the email receipents is wrong. There is no cookie required if they have the galleryid.
I suggest one or more of the following:
A) make the username mean something.
1) it would provide a limited level of security in that you would at least have to know the username and so random "attacks" would be eliminated.
2) I realize this would break when people changed their username. This might be exactly what they want if someone is abusing the site
Actually use a "permission" cookie. My suggestion. The link that would be emailed would be to a script that set the cookie on the person's computer which says "You have permission to look at THIS and ONLY THIS gallery" and then redirects them to the gallery. This way only people who had been emailed that special link would be able to see the gallery. This would be the most clean implementation and quite simple to do (depending on how the galleries are currently being served).C) Use more obfuscation on the gallery id itself. Make it some random combination of letters and numbers. 19asjk3760sghjgaflg97603727hghgsd would be much harder to "hack" and almost impossible to randomly come across compared to a simple 7 digit number. No one would have to type it in so why the sequential numbers? if you need the sequential numbers you could just add the random characters after the sequential numbers.
I don't need high security as these are personal photos. I wasn't too worried about them because I figured outsiders would at least need to know my username before they could start poking around and even then they would need to know a range of numbers to play with.
I would like to avoid having my DL quota hit by people randomly hitting my galleries. I would like to avoid people using a script to find and download all my photos. I don't want my photos indexed by an internet search engine. It appears that all of this can happen unless I place a password on my galleries AND make non-public AND turn off external links. Is this correct? This seems a bit overkill for my application.
Comments? Thoughts?
Am I beating a dead horse?
Is there a FAQ for this?
thanks,
-- Mike
smugmug nickname: mpmcleod
http://www.michaelmcleod.com/
smugmug nickname: mpmcleod
http://www.michaelmcleod.com/
0
Comments
Nickname can be changed anytime, this way there are never any broken urls.
We can also allow neat stuff like "hide owner" www.smugmug.com/gallery/XXXXXX-L.jpg
Make sense?
We rarely get bandwidth issues for reasons like you state- if you do, simply write us at the help desk
Portfolio • Workshops • Facebook • Twitter
Thanks.
I figured that was the reason for the username issue (so people could change it and everything still work).
It is still strange (to me anyway) that just punching numbers in one can see "private" galleries. Maybe the word "non-advertised" or "not on your main page" would be better? I don't really want to password protect every gallery but I also don't want random person to have access to everything I have.
But as that appears to be the case....
Can I use a single setting to password protect all my pictures and galleries with one login/password? Also can I set all my galleries to default to a "secure mode"?
Any other suggestions?
What does hide owner do?
smugmug nickname: mpmcleod
http://www.michaelmcleod.com/
Here's a screen grab, it's in your customize gallery settings:
Portfolio • Workshops • Facebook • Twitter
Thanks. I knew how to do it but I was wondering what it did. Anyway I tried it and it removes my name and userid from the screen. Is that all? I am not sure how this helps me.
Doesn't seem to have any effect on people getting to my photos.
smugmug nickname: mpmcleod
http://www.michaelmcleod.com/
If you don't want folks to find your private galleries accidentally, which is very remote, then you can put a site password on, and /or gallery passwords.
Does that help?
Portfolio • Workshops • Facebook • Twitter
yep! Thanks!
Is there a way to do it to all my galleries at one time? and also a way so that by default any new galleries are password protected?
smugmug nickname: mpmcleod
http://www.michaelmcleod.com/