.htaccess -> deny direct path access to browsers of image files - Apache Web Server forum at WebmasterWorld - WebmasterWorld

Forum Moderators: phranque

Message Too Old, No Replies

.htaccess -> deny direct path access to browsers of image files

I need to deny a browser direct access to an image url

bhammel

7:46 pm on May 14, 2010 (gmt 0)

10+ Year Member

I'm a new web developer and currently creating a site that contains a user area which includes a photo gallery. I have never had to write a .htaccess file before and I am getting all sorts of lost looking for a solution to my problem:

How I'd like to process to go:

1. A user logs into the site to gain access to the gallery.
2. A user may browser through photos while within the gallery.

What I would not like to happen:

1. A user types in the direct address to an image

www.any_site.com/images/image.jpg

.
2. The user's browser displays the image.

I believe the .htaccess file is where I should be limiting the access to this file, but I don't know where to start.

Some helpful information about the site:

The site is coded using PHP and XHTML with CSS styling.
The login and session handling works appropriately for restricting actual page access.

I need to be able to display the image (so allow my PHP access to the image and then thus the browser access when called in an

<img>

tag), however I cannot put the images folder above my root directory.

Also, I have no idea where to find a good starting place for learning to write the .htaccess files (syntax, proper functions, etc.).

If anyone can help with this specific problem, but also knows of a place I can actually learn the information for creating .htaccess files, I would be most appreciative.

Thank you for your time.

g1smd

7:58 pm on May 14, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Cookies.

That's the only way serious way to get this job done.

bhammel

8:37 pm on May 14, 2010 (gmt 0)

10+ Year Member

Well, my issue with cookies are that they are susceptible to manipulation by the end user, from my understanding.

I may be wrong about this, and if that is the case, I would certainly like to be informed of such misinterpretation.

If this truly is the best route to proceed, could you please provide a bit more detail?

Thank you!

jdMorgan

9:59 pm on May 14, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Set a short-term cookie on the "page(s) that must be visited to access images." Rewrite all image-URL requests to a script. Test the cookie in this script, and if the cookie is set, valid, and not expired, have the script open and read the image file and serve the image to the client. Otherwise, 403 the request and serve a default image with the message, "Oops! - Please refresh this page to continue" (or something similarly-friendly but non-committal) in it, followed by your Web site's URL -- Keep the text very short and clear to allow for easy reading in either landscape or portrait image aspect ratios.

Deny all access to the image-storage directory via HTTP -- images will be accessed using only filesystem requests issued by your image-serving script, not by HTTP requests.

Cookies can be manipulated, but you could encrypt the cookie string's value if you think that's really necessary. Most people on the Web don't know how, and few of those that do would bother -- In almost all cases, there are simply too many other Web sites where they can get the same or similar content if they want it.

That last paragraph is both a reassurance and a warning: If you interfere with the ways that your "good" users like to use your site, then you may not have many "good users" left... You should consider if this applies to your site and users.

Jim

bhammel

11:41 pm on May 14, 2010 (gmt 0)

10+ Year Member

Okay, so it sounds like cookies might be an option. I don't believe the content on my site will really be that interesting to any malicious users any way.

I guess my only other thought would be about cookies versus saving the images to my database rather than an images directory. I am trying to think large scale, as I would like to learn secure techniques for handling files on the web to become a better web developer.

I realize this question is now out of scope for the Apache section, but if anyone has a quick comment on cookies vs saving to the db I wouldn't mind the two cents.

Thanks for you help!