0

I need to restrict access to profile images only to logged in users. I've been reading some posts about how to do that, but didn't find examples that let me understand how to do it. Maybe I just didn't understand because I don't know much about .htaccess rules.

I've tried:

order allow, deny
deny from all

But it denies access to all (dóh), including myself. I cannot use IP addresses.

I don't use sessions ID's in the URLs, but I check for the logged in users with a php script (the same that generates the session in the first place, when the user logs in).

So I thought that maybe I could implement a cookie check?

I'm not using cookies at the moment, but I could create a cookie every time the user logs in, and destroy it when the user logs out. So my questions are:

Is the cookie-check a safe enough, performant option?

If it is, how may I do that check?

I've come so far to understand this:

 RewriteEngine On
 RewriteBase /

 # search for image files
 RewriteCond %{REQUEST_FILENAME} ^.*(jpg|jpeg|png|gif)$
 # look for my cookie
 RewriteCond %{HTTP_COOKIE} !^.mycookie.$ [NC]

How to check if the cookie is present then allow to continue to the image?

Please note that the images are shown embedded in my site inside each profile .php file.

Thank for your help!

Community
  • 1
  • 1
Rosamunda
  • 14,620
  • 10
  • 40
  • 70

1 Answers1

1

Try using $_SESSION array, you can create a session using session_start() and destroy it using session_destroy() it is easier to validate session than cookies. You can also send parameters when creating a session, for example

$parameters = array('param1' => 'value', 'param2' => 'value2' /* paramN => valueN*/);
session_start($parameters);

and validate it like this

if(isset($_SESSION)){
//Do stuff
}

you can also check if an specific parameter is in the session

if(isset($_SESSION['param1'])){
//Do another thing
}
Poncho
  • 182
  • 2
  • 11