Secure image downloads
Posted: Wed May 31, 2006 3:53 pm
Hi all,
I've got an interesting problem that I'm hoping someone has solved before
I'm working on an online image gallery. This gallery is viewable from the web, but requires a person to login (which therefore creates a session for them & stores the session & their timeout in a DB. To secure a page, all I need to do is include a file, and it automatically checks session timeouts and permissions).
The trick come when trying to secure the images. I pretty much have to put the images outside of the web root and then use a PHP file to load them into a webpage using:
I'm pretty sure I can't use .htaccess files & leave the images in the web root because I have no way of tying my authentication scheme into .htaccess sessions.
In my image.php file, I've put the code in that checks the DB to see if a user is authenticated. This effectively requires that a person be logged in to view an image. Unfortunately, it has to do this check every time. If I didn't do this check in image.php, then someone could just type in https://www.domain.com/system/image.php?user=joe and BOOM - they're in.
Unfortunately, after doing some testing, I've found (not surprisingly) that adding this database-permissions check makes the page load in 12.5 seconds vs. 0.25 seconds without the check (the times are totally dependant on the number of images in the page, but these numbers give you a relative idea).
Does anyone have any idea how I could speed this up? Ideally I'd like it to take the 0.25 seconds while still being secure, but 12.5 seconds for 27 images seems a bit excessive.
Thanks for any and all ideas.
I've got an interesting problem that I'm hoping someone has solved before
The trick come when trying to secure the images. I pretty much have to put the images outside of the web root and then use a PHP file to load them into a webpage using:
Code: Select all
<img src = "image.php?user=username" />In my image.php file, I've put the code in that checks the DB to see if a user is authenticated. This effectively requires that a person be logged in to view an image. Unfortunately, it has to do this check every time. If I didn't do this check in image.php, then someone could just type in https://www.domain.com/system/image.php?user=joe and BOOM - they're in.
Unfortunately, after doing some testing, I've found (not surprisingly) that adding this database-permissions check makes the page load in 12.5 seconds vs. 0.25 seconds without the check (the times are totally dependant on the number of images in the page, but these numbers give you a relative idea).
Does anyone have any idea how I could speed this up? Ideally I'd like it to take the 0.25 seconds while still being secure, but 12.5 seconds for 27 images seems a bit excessive.
Thanks for any and all ideas.