Protecting images and such in a member area

Question

I have created a simple PHP web site with two areas - a public and a membership. All is well and such. Login works and the webpages are all protected from non-member users. However, I cannot seem to protect direkt access of say members-only pictures. By directly entering the full URL of a picture, I can view it in full without login in - i.e. http://www.mysite.com/members/gregs_funny_cat.jpg.

Is there a way to prohibit such access through scripting? The website is on a webhotel and I don't have access to .httpaccess.

Answer 1

Put your images outside the apache-directory, if you have access to such a directory. That could be the parent directory or a subdirectory of it ... Write a PHP script to open the files from there, and send them to the browser after checking if the user is logged in.

Answer 2

You can read the the image file with PHP and echo it only to the logged in users with the appropriate headers. something like

if($userLoggedIn)
{ 
    $f = file_get_contents("path/to/jpeg/file.jpg");

    header('Content-Type: image/jpeg');
    echo $f;
}

as the @Lex comment suggests, you should put them above the webroot folder.

Answer 3

I would put the files outside of the root folder if you have one. then Call the files via a php wrapper, i.e <img src="files/file.php?id=01341" /> and in the file.php output the file with image headers if the user has the rights to view the file. In the table, you have the real image URI that corresponds to your 01341 token, and this is what file.php loads and outputs as image to the requester. This way the real URi of your server files stays hidden and you get to check access rights for every image load.