💡How Gallery Protect Keeps Your Files Safe: A Simple Guide

This document will explain how the Gallery Protect system works to keep your files secure. We'll break down its security features in simple, non-technical terms, so you can feel confident that your digital house is well-protected.

1. Introduction: Your Digital Safe

Think of your private files like valuable items you'd keep in a secure house. You wouldn't rely on just a single lock on the front door; you'd have locks, an alarm, and maybe even a safe for your most important possessions. Digital security works the same way.

2. The Big Idea: Security in Layers

The core security philosophy of this system is multi-layered security. A single defense can be broken, but multiple, independent layers working together create a much stronger barrier. Imagine defending a castle: an attacker would need to get past a moat, then an outer wall, and finally an inner keep. Each layer presents a new challenge.

Why are layers more effective?

Redundancy: If one layer fails or has a weakness, another layer is still in place to stop an intruder.
Defense in Depth: Different layers are designed to stop different types of threats, creating a comprehensive defense.
Containment: An intruder who gets past the first layer is still contained and has more obstacles to overcome.

Now, let's meet the first guard at the gate: the server's bouncer.

3. Layer 1: The Server's Bouncer (`.htaccess`)

Before any of the gallery's own code runs, the web server itself acts as the first line of defense. It uses a configuration file called .htaccess to work like a bouncer at an exclusive club, checking every request before it even gets inside. If a request looks suspicious or is trying to go somewhere it shouldn't, the bouncer stops it immediately.

The Bouncer's Job	Why It Matters
Redirecting Trespassers: If anyone tries to access a forbidden area, they are instantly sent to the login page.	It stops intruders at the front door, before they even get a chance to knock.
Hiding the Guest List: Makes critical files like `users.txt` and `global_activity.log` completely invisible from a web browser.	It keeps your guest list and security logs completely secret from prying eyes on the web.
Blocking Uninvited Guests: Checks if a request for a photo is coming from your website or from somewhere else.	This prevents other sites from stealing your bandwidth (hotlinking) and ensures no one can bypass the login page by guessing a direct link to a file.

Once you get past the bouncer, you still need to prove who you are to get your official pass for the evening.

4. Layer 2: The VIP Pass (Your Secure Session)

After you log in successfully, the system gives your browser a temporary "VIP Pass" called a session. This pass is like a hand stamp that proves you are an authenticated user for a limited time. As you navigate the gallery, every protected page checks for this pass.

The "Kill Protocol" The system has a strict security rule: every protected page checks for your VIP Pass the moment it starts to load. If the pass is missing or invalid, the page immediately stops everything by executing an exit; command. This ensures that not a single piece of a protected photo or file is ever accidentally shown to an unauthenticated user. The process is killed instantly.

Keeping Galleries Separate

The system is designed to run multiple, independent galleries on the same server (e.g., one for /nphotos/ and another for /vacation/). To prevent a key for one gallery from working on another, it uses Namespace Isolation.

Think of it like different apartment buildings on the same street. A key for Building A won't work on Building B. Similarly, each gallery has its own unique set of keys (session variables) so that being logged into one gallery doesn't grant you access to any others.

But how does the system know who to give a VIP Pass to in the first place? It checks the official guest list.

5. Layer 3: The Guest List (`users.txt`)

The system’s secure "Guest List" is a simple, fast, and reliable text file named users.txt. Instead of a complex database, this file stores usernames and passwords, and the system is built with strict rules to keep it safe and functional.

Here are its most important security features:

Atomic Updates When you change your password, the system uses an "exclusive lock" (LOCK_EX). This is like a "one-at-a-time" rule at a bank vault. It prevents the guest list from getting corrupted if two users try to change their password at the exact same moment.
Smart Validation The system is built to handle special characters correctly, including Swedish characters like å, ä, ö. At the same time, it strictly blocks characters (like the colon :) that could corrupt the guest list's simple user:password format, ensuring the file's integrity is always maintained.
Guarding the Guardians Special accounts, like for an administrator, can be marked with a star (*) in the users.txt file. The system recognizes this mark and will block any attempt to change that account's password through the normal user interface. This adds an extra layer of protection against unauthorized changes to the most critical accounts.

Now that we've met all the guards and seen the security plans, let's walk through what happens when you want to see a photo.

6. Putting It All Together: A User's Journey

This multi-layered security system works together seamlessly in a fraction of a second. Here’s the story of what happens when you request a single file:

The Request You click on a link to a photo in your gallery. Your browser sends a request to the server.
The Bouncer's Check The server's bouncer (.htaccess) immediately checks your request. Is it coming from an unauthorized website (hotlinking) or is someone trying to access the file directly? If so, the request is stopped and redirected away.
The VIP Pass Check If the bouncer approves, the gallery's main logic (auth.php) checks your browser for a valid VIP Pass (session).
The Result
- If you have the pass: The photo is displayed instantly.
- If you don't have the pass: You are sent to the login page to get one.

This seamless, split-second process is what provides your peace of mind.

7. Conclusion: Confident and Secure

The strength of Gallery Protect doesn't come from a single, complex lock. It comes from multiple, independent layers of protection working together. From the server's initial "bouncer" check to the session's "VIP pass" and the secure "guest list," each layer reinforces the others. This defense-in-depth strategy ensures that your files are guarded by a robust and reliable security system, letting you share and browse with confidence.