Preventing access to images

Posted on 2011-04-28
Last Modified: 2012-05-11
I know how to code to  restrict access to php pages, but I am wondering how to prevent images being download, if someone knows the path (without going via the web app).

I want to make sure only my registered users with the right credentials can access them, but restrict others from accessing them with the path.

I am not concerned about the authorised users, with the correct credentials from accessing or even downloading them.  I just want to make sure for security reasons, that they cannot be accessed unless the person has the correct credentials.

I would appreciate advice here.  I am not sure if this needs to be done at the server level or the app level.
Question by:debbieau1
    LVL 40

    Assisted Solution

    You can setup an Apache authentication module to protect directories.

    Or you can create a PHP image handler that serves up all images. So all links woudl change from /images/foo.jpg to /php/getImage/foo.jpg

    I'd go with the first option for performance reasons, but it all depends on how you do your authentication at this point. There are a lot of auth modules out there, ranging from the simplest mod_auth which uses password files, to database access or ldap access (for example mod_auth_mysql)
    LVL 107

    Assisted Solution

    by:Ray Paseur
    The problem with leaving the image in a folder that can be accessed by a web browser is that the image can be "accidentally" discovered.  You can move the images outside the WWW directory tree and use a script to render them on the browser screen for authorized clients.  The script would check client authentication/login status, then issue the appropriate headers and read-regurgitate the image contents into the browser output stream.
    LVL 26

    Accepted Solution


    If you decide to use Apache as the control mechanism, then the following article may be of some use:
    LVL 1

    Author Closing Comment

    Thanks everyone they were all very useful

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    If your site has a few sections that need to be secure when data is transmitted between the server and local computer, such as a /order/ section for ordering or /customer/ which contains customer data, etc it would of course be recommended to secure…
    Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
    The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
    The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now