0

Following an advice on this website I used an image.php file to return an image resource, as suggested here (linking to the images as files is not an option due to security restrictions).

How can I restrict the images that a certain user can 'get' from this image.php file?

I am using an OOP MVC architecture in my website. Upon connection, when index.php runs, many classes are loaded and instantiated thus the thread has variables indicating who the user is and what resources he can access.

This file image.php (returns an image) acts as a 'stand alone' script (accessed by an HTML src attribute from the client side), not loaded by the already-running thread, and (forgive me if I misunderstand it) has no variables to indicate who the user is and what he can access.

I could have image.php go through the same routine as index.php, loading and instantiating classes, but I think it would be a terrible waste of resources for a single image.

How can I restrict the images returned by image.php on user basis without creating an additional load on the server?

EDIT: I have observed on some websites that image.php is passes a long string GET variable, can that be a method?

If I explained myself in an unclear manner, please be patient and let me know, I'll try to clarify.

Community
  • 1
  • 1
Dean
  • 7,814
  • 8
  • 30
  • 31
  • Is there any session data you can use? If so, there's your answer – rjdown Mar 14 '15 at 18:10
  • Yes, of course. You suggest loading only the resources needed to parse the session and use this data to control access? – Dean Mar 14 '15 at 18:10

1 Answers1

1

You need to identify the user somehow on image.php and that will depend on how you create the user session. If you are using PHP sessions you could just do:

session_start();
$username = $_SESSION['username'];
// check permissions

Most frameworks use adapters and wrappers to PHP session, on image.php just var_dump($_SESSION) and check if the information you need is there. Don't forget to call session_start.

lbrandao
  • 4,144
  • 4
  • 35
  • 43
  • Wouldn't it be resource intensive if I have about 20-50 images a page? – Dean Mar 14 '15 at 18:45
  • Checking the session is not resource intensive. It's the minimum you need. Passing all images through a PHP script like you are doing is more resource intensive than that. – lbrandao Mar 15 '15 at 21:20
  • Just a follow up, if you are using a database to store session variables you could make is faster by storing the relevant information on memory, thus saving the trip to the database. That could speed things up quite a bit for 50 images. I suggest you to take a look at memcache http://php.net/manual/en/book.memcache.php – lbrandao Mar 17 '15 at 17:21