Restrict Access To Private Images

As a photographer, I have my own website with a portfolio and such. I also have a log-in system for users, where I give them access to their own private images (it displays all ima

Solution 1:

If you need to restrict access to files only to a logged-in user, you should move all files from the web-root and put them in a place where you cannot access them directly through the web-server.

Then you serve the files after the user is authenticated through php. See for example the first example on the readfile() page of the php manual.

So when a user logs in, you store for example the user ID in a session variable and on top of the file-serving script you check if the id is correct / allowed access to that specific file.

Solution 2:

Further to what Jeroen has said, you're on the right track in identifying that the folder name could be the weak point, and that it should be difficult/impossible to guess. There is no need to name folders after users; you can create a random 8, 12 or 16-char alphanumerical string and store that in the userRow as, perhaps, $userRow['folder_name'].

You can also put all user folders under a structure like http://example.com/storage/A97LD34B2 and ensure that the storage folder has an .htaccess file with:

Options All -Indexes

That's all you need in that text-only file. This, of course, assumes you have an Apache web server (by far the most common, especially for shared hosting accounts.) This file would prevent Mr Snoopy from navigating to http://example.com/storage and seeing a list of files.

Here are two S.O. questions that outline how to construct a password-protected members-only system:

Login into a website and get html from a page

PHP - Secure member-only pages with a login system

Note that each folder would contain an index.php file that would serve up files as jeroen described.