views:

437

answers:

7

I'm creating an image gallery site that you have to log in to access. The site will use sessions to keep track of usernames and passwords. Logged in users will be able to search for images and see results. Presumably, this means I'll be putting images in a web directory. How do I keep non-logged in people from being able to browse directly to an image in this directory?

This is PHP-based, with MySQL.

+2  A: 

Check for a referrer header, and require it to be from your site. You can also check that cookies get sent to you (that they're logged in).

Your best bet is then having PHP fetch the images from a location outside of your web dir.

Also, check out the comment string: using mod_rewrite can do all this directly from apache.

Nerdling
The best thing about this solution is that you can do it in your Apache .htaccess file, so it doesn't depend on your program at all.
Paul Tomblin
That's true, mod_rewrite
Nerdling
Remember that a referer header can be spoofed and isn't reliable when someone is intent on getting to your images. The other solutions work well however.
Josh Smeaton
+3  A: 

Put the images in a folder that isn't accessible through a direct Url, and have the program serve the image directly

eglasius
+1  A: 

Don't put the images in a browsable directory. Better yet, store them outside of your webroot. Put some sort of custom handler in place that will load the requested image and send it back to the user, after the user has been validated and verified. This will also prevent hot-linking of your images.

Jason
A: 

Do not let people access your image directories directly.

Let your image gallery software forward the image to the user. Check the needed credentials.

+1  A: 

Put the images in a folder outside the web site, and use a proxy page to send the image to the browser. Make a page that you use as url in your img tag, something like:

getimage.php?id=8783475

In the page you check that the user is logged in, and determine from the parameters what image to send. Set the content type of the page to the type that matches the image, for example "image/jpeg", read the image file and send directly to the response stream.

Guffa
A: 

i'm having the same problem, but the pictures that i want to protect are pictures uploaded by the users. using a directory outside the webroot won't prevent users to post pictures?

Greg
A: 

If your images are not too large, there is a very smart way of protecting them from unauthorized access. You can you base64 econding, the same as Outlook Express attachment encoding, and put the code inside an ASP page which uses the SESSION object. SEE TUTORIALS ON ASP FOR MORE ON THIS SUBJECT. When a user accesses the page, the asp code checks if the user is autheticated. If he isn't the script interrupts the page code, not visualizing the image. If the user is authenticated the scripts loads the entire page and the base64 is reconstructed into a visible image. The trick here is that you don't have a directory with plain images in it, but the image is encoded in the page html, so it is reconstructed on the fly by the script. Since you don't have images in the directory, nobody can attempt to point the browser directly to them, since thay simply do not exist. You can use this site to encode the images:

http://www.motobit.com/util/base64-decoder-encoder.asp

Then you have to "call" the image in the html code using this tag:

img src="data:image/gif;base64, ..............................................(here you place the code obtained from the site above)...............

You're done! Your images are not accessible if the user is not logged in.

Zagor