PHP, Session and protect folder

I made a small framework to let users here administrate small web info pages.

They can upload documents, images, and make some pages protected by folders. ALL DOCUMENTS ARE UPLOADED IN A SINGLE FOLDER FOR A USER (image for the public site, or private document).

To protect page, i add a Cookie/Session mechanism on page they choose to protect. The problem is that if a user decide to add security to a page, and in this page, put a link to a document (so a link to a document uploaded in the user folder), the PHP page is protected, but the link to the document should implicitely be protected too. Same for problem for IMAGES (<IMG>) inserted in this page. The IMG shouldn't be accessible if users are not authenfied.

Who could give me a solution, architecture to implement that kind of protection for a multiple user framework ? Thanks.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

To do this its the best to use custom tags for such links of pictures and documents. like [img]imageame[/img]
Then use
$text = preg_replace('#\[img\]([^]]+)\[/img\]#iUe', "checkimg('\\1')", $text);

in the function checkimg you implement the check to see if the current user has the right to view that image.
function checkimg($name) {
   if (isEntiled() || strstr('public', $name)) {
       return "<img src='$name'>";
   } else {
       return '';

Same is possible for other tags. You can also use the hrml-tags and parse them, but that regex is a little bit more difficult.

Just my 2 cents how to do this.
eeolivierAuthor Commented:
Maybe i didn't explain well.

In fact , if a user in a protected page put "<IMG SRC="http://localhost/images/toto.jpeg">", my cookie session system don't protect the http://localhost/images/toto.jpeg file, so in a browser I can type "http://localhost/images/toto.jpeg" and get the picture
Do you have any information if such a file belongs to a private or public page or maybe both, except that such a link is referenced inside a page.

If you have such information you might have a look at how files can be protected. I think you will need to rewrite parts of you application so the user decides on the upload if this file is public or private. Then you can check the file via such a script as given in that link if someone is allowed to get the file or not.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

if you have access to htaccess, then you can protect  the files in each directory.

I've shown this solution elsewhere for other problems.

Fundamentally, you set an htaccess file so that all access is natively denied
but you use the errordocument function to have another php file check for access based on your own rules
this in turn serves the page (either by processing with include() for php or by reading readfile() for non-php (JPG, etc))
implementing it as multi-user just involves checking the permissions based on the directory path in conjunction with the user's rights.  

To do this just parse the directory path and check for the rights that way.
the other way is to rename the files:
the user uploads image1.jpg
your script stores image1.jpg with a random file name (osnduoifrno) and puts the random - real file name relation in a database.
if somebody wants to retrieve image1.jpg, they cally your script
and you script simply looks up the random file name in the database and sends it's contents by file_get_contents().
If people cannot see a listing of your directory, they have no way of knowing the random file names.
As a mix of solutions offered by virmaior and _GeG_ you could use <a href="">mod_rewrite</a> to translate URL from:
or whatever you like.
getfile.php will check if user is authorised to retrieve file and will(or won't) output the file.
Split: hernst42 {http:#12583442} & virmaior {http:#12584387} & _GeG_ {http:#12585907} & sergio_ga {http:#12624972}
I was wondering last month why I had received so few points. Now I know, because the askers do not close the questions!
Thanks mods for checking this!

btw I agree with the split that hernst42 suggests.
Just a note -- I am not a Moderator but just a Cleanup Volunteer (and Page editor actually but in other areas) and Cleanup is a normal process -- in some areas slower in some areas faster but it is going on :)

Thanks for the responses. They really help :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.