0

I have a folder full of images on my server where my mobile app accesses them. www.mysite.com/images/image001.jpg

Whoever has this link now can access the files. Also can comprehend that the images are in a certain order and thus guess the pattern etc...

The image links are gotten via the php inside the app that use token to verify the user is legit and indeed the request is coming from a mobile that has downloaded the app.

What I want to do is to secure the folder from external access and prevent people from accessing the folder and seeing everything from a browser and limit its access only via the php file.

I have used the trick of .htaccess with deny from all so that it show the forbidden message whenever someone visits from the web, however, all my JSON requests also do not work now.

What can I do to accomplish this?

Martijn Pieters
  • 1,048,767
  • 296
  • 4,058
  • 3,343
tony9099
  • 4,567
  • 9
  • 44
  • 73

2 Answers2

1

You will have to serve the images with a PHP script that also checks that access is permitted.

Once you've done this you can simply store the images outside the web root, which makes them inaccessible from the web, except through the PHP file that serves them.

KIKO Software
  • 15,283
  • 3
  • 18
  • 33
  • Or you can also use `RewriteRule` to redirect/block certain directories under `var/www/html` – TheRealChx101 Apr 24 '17 at 07:18
  • @kikosoftware, you mean I can now take the folder to a location before the /var/www/html and access it using a php that checks for the token? But how would that happen ? – tony9099 Apr 24 '17 at 07:30
  • It depends a bit on your server, of course. But assuming you use Linux and Apache, there are already directories above the httpdocs directory for storing certain things (in your case 'html'?). You can simply add another. These directories are accessible with PHP, without any extra configuration, and not accessible through the web. The idea of TheRwalChx101 is also valid, but it depends on the presence of a correctly working .htaccess file. – KIKO Software Apr 24 '17 at 07:48
0

best option is to make the pic links randomized and un-guessable

so a pic link would look like this:

www.mysite.com/images/8Md9FhD1hANdIBUz4WVCzKR227fykTByq6SKHas5FyYJDr2EjAlIn1bS0f5gPJih.jpg

youtube use this method for "private" videos

users / bots cant be accesses randomly, and you cant guess the next pic.

when the user is authenticated display the link. the worst thing that can happen is that this user can share that link, (he can download and share not matter what you do)

when you save the picture on your server just randomize the name.

Nimrod007
  • 9,825
  • 8
  • 48
  • 71
  • It all depends on really how secure you want to be. In principle this method is not secure at all. See: http://stackoverflow.com/questions/533965/why-is-security-through-obscurity-a-bad-idea I found that Google indexed files which I thought it could never find. Google will find a way. Of course they will not index private videos on Youtube... any idea why? – KIKO Software Apr 24 '17 at 07:54
  • if you only publish the links in session protected pages, and people dont publish the links in their own public page google wont index it. and yes this method isnt secure. if a user shares this info its public. but when you present the picture to a user he can do what he wants anyway.... – Nimrod007 Apr 24 '17 at 12:55