This is not 100% secure, but makes it harder to download stuff.


The ideas are based on an object server that runs on an Apache
web server with PHP installed, but some of them can be migrated
to other web servers and web languages as well.


I did NOT TEST the whole thing, because I do not protect my stuff.
If you tried it, please tell me about problems AND success, so
I can remove this part of the instruction or fix bugs :)
  Thanks
    Volker [Ananas]

=======================================================================


1. Hiding the real path and forwarding to a PHP script instead


For this purpose, the Apache web server offers the "rewrite engine"
mod_rewrite. The part of rewrite, that you need, does not require
server admin rights, it just needs an enabled rewrite engine, so
that you can define the rewrite rules in your .htaccess file.

Create a new, empty directory, that you want to use as the OP entry
of your world. In the example, I will write /FAKED for this pathname.
For the OP script, the example assumes the name /script/OP.php

On your PC, use NotePad to create a text file with these 8 lines :

RewriteEngine On
RewriteBase   /FAKED
RewriteRule   ^(models\/.*\.zip)$     /script/OP.php?/$1 [S=10]
RewriteRule   ^(textures\/.*\.jpg)$   /script/OP.php?/$1 [S=10]
RewriteRule   ^(avatars\/.*\.zip)$    /script/OP.php?/$1 [S=10]
RewriteRule   ^(seqs\/.*\.jpg)$       /script/OP.php?/$1 [S=10]
RewriteRule   ^(sounds\/.*\.jpg)$     /script/OP.php?/$1 [S=10]
RewriteRule   ^(.*)$                  /index.html

Save the file, then use Explorer to rename the file into .htaccess
Do not rename it to .htaccess.txt and do not forget the leading dot!

Upload (FTP) the file to your web server into the new /FAKED directory
in ASCII (!) mode. The file will not be visible in your web browser
and cannot be downloaded, so the contents are really hidden. 


2. Create the directory where you plan to store your objects.


Those who can create a directory on their OP server outside of the
web area can do that. Those who cannot do that, can still use a
directory name with a leading dot, that will deny access from the web
browser. In the example (for the PHP script), I will use the pathname
/.REAL for this path.


3. Create this PHP script with forwarding and browser check

On your PC, use NotePad to create a text file with these contents :

<?PHP
  define ("REALPATH", '/.REAL');


  if (strcmp ($HTTP_USER_AGENT, "Active Worlds Browser"))
    exit();


  $IsZip = 0;

  if (! empty ($DOCUMENT_ROOT))
    $DocRoot = $DOCUMENT_ROOT;
  else
    $DocRoot = '';

  if ($Content = strrchr ($QUERY_STRING, '.'))
  {
    if (stristr ($Content, '.zip'))
    {
      $IsZip = 1;
      Header ('Content-Type: application/zip');
    }
    else
      Header ('Content-type: image/jpeg');
  }


  if (! ($Filename = strrchr ($QUERY_STRING, '/')))
    $Filename = strrchr ($QUERY_STRING, '\\');
  if ($Filename)
  {
    $Filename = substr ($Filename, 1);
    Header( 'Content-Disposition: attachment; filename='.$Filename );
  }

  if ($Filename[0] == '.')
    exit();

  $Filename = $DocRoot.REALPATH.$QUERY_STRING;
  if (! file_exists ($DocRoot.REALPATH.$QUERY_STRING))
    exit();

  $arr = split ("[\\/]", $Filename);

  for ($i=0; $i<sizeof($arr); $i++)
    if (! strcmp ($arr[$i], '..'))
    {
      array_splice ($arr, $i-1, 2);
      $i=0;
    }
  $Filename = $arr[0];
  for ($i=1; $i<sizeof($arr); $i++)
    $Filename .= '/'.$arr[$i];

  if (strncmp ($DocRoot.REALPATH, $Filename, strlen($DocRoot.REALPATH)))
    exit();

  $Filesize = filesize ($Filename);
  Header ('Content-Length: '.$Filesize);

  if ($fIn = fopen ($Filename, 'rb'))
    fpassthru ($fIn);
?>

Save the file, then use Explorer to rename the file into OP.php
Do not rename it to OP.php.txt!

Upload (FTP) the file to your web server into the new /script directory
in ASCII mode, binary mode should not be a problem though.

=======================================================================

The final structure will look like this now :

/FAKED/.htaccess
/script/OP.php
/.REAL/models/
/.REAL/textures/
/.REAL/avatars/
/.REAL/seqs/
/.REAL/sounds/

with the value "server.domain/FAKED" in your worlds OP entry.