9

Suppose user A has some images in his/her account in Facebook which s/he can view after log-in.

If user A logs out and the url of one of those images is tried, 'access restriction '-type message appears.

Think of a social networking site built in PHP.

How to achieve that kind of control so that NO images can be viewed without logging in to the site JUST as Facebook does?

Istiaque Ahmed
  • 6,072
  • 24
  • 75
  • 141

1 Answers1

16
  • Move all of the images to a folder which is not accessible from the web.
  • Implement a php script (image.php) which checks if the user is logged in and accepts an image name as input (e.g. image.php?name=flower.png).
  • If the user is logged in, send the proper content-type image header() http://il2.php.net/manual/en/function.header.php (image/png for example)
  • Read the file from disk and send it to the user using readfile() http://php.net/manual/en/function.readfile.php.
  • Make sure people won't be able to access files outside the images dir by sending something like /images.php?name=/etc/hosts (it would be better to accept an image ID instead of a file name, or a hash of the file name, you can use md5() http://il2.php.net/manual/en/function.md5.php to generate the hash but remember to name the image files according to their md5 hashes, in this case you always lookup the image file only in the images directory).
  • If the user is not logged in, you can send a custom image which reads "please login" or just terminate the script.
Yaniro
  • 1,595
  • 9
  • 14
  • suppose the image url is mysite.com/images/img.jpg. If this url is hit, when will the script image.php be executed / – Istiaque Ahmed Oct 25 '12 at 11:39
  • The `src` attribute of the image should be: mysite.com/image.php?name=img.jpg so he script image.php will control the access to the image file and show it only in case the requesting user is logged in. If he/she isn't logged in, the script should terminate the execution, otherwise, the script should `readfile( 'path/images/img.jpg' )` in order to send the image to the user (also don't forget to use `header()` to set the proper content-type. – Yaniro Oct 25 '12 at 14:02
  • if the url is mysite.com/images/img.jpg, which src attribute will it try to read? – Istiaque Ahmed Oct 26 '12 at 07:21
  • your first link in the answer (http://il2.php.net/manual/en/function.header.php) does not work – Istiaque Ahmed Oct 26 '12 at 07:21
  • 1
    If your url specifies a .jpg file directly, and the image file is directly accessible on the internet, there won't be an easy way to make sure only authenticated users can see it, that is why all if the links should point to a php script and not the image itself. The link is: http://www.php.net/manual/en/function.header.php – Yaniro Oct 26 '12 at 15:33
  • Is that the way social networking sites like Facebook uses ? What about performance if all the images in a social networking site are displayed in this way ? – Istiaque Ahmed Oct 28 '12 at 07:44
  • What is the term for all these called? I am not into php so i need to know the exact term. – Sushan Jan 13 '20 at 07:10