ansaurus

Question

How to protect against direct access to images?

Answer 1

+7 A:

http://us3.php.net/image

You link the img element to a php file. This file checks if the user has the right permission, if so it can send an img response back.

<img src="url/LoadImg.php?id=1337" alt="" />

Still someone with the permission can download the image and provide it to other people somewhere else (webspace/mail/whatever). To make it a bit harder to steal it you can disable right clicking on the image, but still a user who knows a little bit about http should not have any problems to steal it. You can place a signature over the image (for example the logo/name of your website) so people can see that you where the source. This can be done with php aswell.

If you want to be funy you can setup an other image (porn is great for this :P) that is sent if the link comes from an other page :P

Mark Baijens 2010-10-21 17:52:04

Answer 2

A:

This is going to be hard to do. In order for your clients' web browsers to access the pictures, they need to be readable. File permissions won't work because you'll need to grant access to the browser. You won't be able to stop someone from downloading them and doing something with them.

If you only want to stop direct linking, if you change the filenames on a regular basis and update your pages to reflect this, other pages will have their links broken.

Steve Rowe 2010-10-21 17:53:26

Answer 3

+1 A:

This might be useful: Allow/deny image hotlinking with .htaccess

Edit: One thing to note about this method is that some Browser/AV/Firewall software removes Referer data when you browse, which would cause potentially legitimate users to be treated as hotlinkers.

If your site already uses some kind of authentication or session system, then it would be better to use the method given in @Mark Baijens' answer.

Update: NGiNX rewrite rule to prevent hotlinking:

location ~* (\.jpg|\.png|\.css)$ {
    valid_referers blocked mydomain.com www.mydomain.com;
    if ($invalid_referer) {
        return 444;
    }
}

jnpcl 2010-10-21 17:53:43

Thanks, however I can not use that method since I am using NingX as webserver and don't have any `.htaccess` files.

Jonas 2010-10-21 18:02:57

With some tweaking, it's [possible](http://wiki.nginx.org/NginxHttpRewriteModule).

jnpcl 2010-10-21 18:05:52

Thanks, I will have a look at that solution.

Jonas 2010-10-21 18:18:32

And those programs don't only remove the referrer, they sometimes replace it with some constant string. So you probably need a longer whitelist of valid referrers.

CodeInChaos 2010-10-21 18:32:45

Answer 4

A:

You could use a PHP script to retrieve the images using something like:

<img src="mysite.com/getimage.php?id=001" />

and have the PHP script return the image data only after confirming that the domain of the HTTP_REFERER is your's.

If you have an account-oriented site, I suggest using PHP sessions as you stated and have the PHP script verify the session before returning the image data.

Evan Mulawski 2010-10-21 17:54:29

ansaurus

tags:

views:

answers:

How to protect against direct access to images?

related questions