homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

Deny direct path but not from html

 8:07 pm on Feb 2, 2009 (gmt 0)

I suspect this is impossible, but I am going to ask anyway.

I have a directory with pictures which are called from a webpage (normal <img>-tag), but I don't want people to look at the source of my page and then type in the direct path to these images.
In other words, I want direct access to these images to be impossible, but still be able to show them on my page.

Can this be done with htaccess?




 8:29 pm on Feb 2, 2009 (gmt 0)


Create an htaccess within the image folder, ONLY allowing access from your own websites pages.

Jim gave an example of this some time ago (and has not lingered on since). I failed to bookmark the thread and have been unable to locate it.


 11:15 pm on Feb 2, 2009 (gmt 0)


you mean using something like:

RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mysite\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule .*\.(jpe?g¦gif¦bmp¦png)$ /images/nohotlink.jpe [L]

I came across a few scripts like that, but they all fail to work. I guess because either:

1) typing www.your-domain.com/gallery/pictures/picture.jpg acts as access from own site, or:
2) HTTP_REFERER is blocked (by a firewall or something)


 12:28 am on Feb 3, 2009 (gmt 0)

Here's the thread I was looking


 2:15 am on Feb 3, 2009 (gmt 0)

That thread only applies to cases where a script is used to "include" objects.

In order to prevent direct image access, you need to use an image-serving script that checks for a cookie set by the page that is "authorized" to display the image, or you need to play games with dynamically changing the image URLs, and then using .htaccess or a script to "reconnect" the frequently-changed URLs with the actual file location on your server.

Be advised, however, that once someone sees your image on their screen, they can copy it -- either using "Save image as" in the browser, or simply by taking a screenshot.



 10:54 am on Feb 3, 2009 (gmt 0)

Hi jdMorgan,

How would one initiate a script that checks for a cookie during direct access? I only have a little more than basic knowledge of apache.

As for copying the image on-screen, I already have a watermark-script in place to prevent that.

Just to give you an idea what I need, I currently display images so:

<img id="bigpicture" src="image.php?main=gallery/full/01.jpg&amp;watermark=gallery/watermark.png" />

[edited by: Bert36 at 10:59 am (utc) on Feb. 3, 2009]


 3:47 pm on Feb 3, 2009 (gmt 0)

So you have already "initiated a script" by pointing <img src> requests to your watermarking script.

You could add the cookie-checking to your watermark script. If your watermark script is an off-the-shelf solution and subject to frequent revisions/upgrades, or if you don't want to modify it for any other reason, then you could "wrap" that script inside another one. Your <img src> references on your pages should then call the wrapper script instead of the watermarking script. The wrapper script would then call the cookie-checker script and the watermark script in turn, and as appropriate.

Coding the scripts themselves is well outside the scope of this forum, but we do have scripting forums here... :)



 3:53 pm on Feb 3, 2009 (gmt 0)


I feel confident enough to be able to write such a script. But something is not clear to me. How would this prevent people from looking at a picture when they type in a direct link? By typing the direct link, no script (cookie-checking or otherwise) would be called...or am I missing something?


 4:05 pm on Feb 3, 2009 (gmt 0)

You will have to rename the image files (or perhaps just their shared directory if they are so organized) so that old "direct links" are no longer valid. You could redirect these old links to your script, to the html page that includes them, or simply let them go 404-Not Found if that's not feasible.



 4:17 pm on Feb 3, 2009 (gmt 0)

ah... ofcourse.

Silly how one can sometimes miss the obvious.

Thanks a lot!

Global Options:
 top home search open messages active posts  

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved