Page 1 of 1

Appropriate Directory Security?

Posted: Wed Dec 22, 2010 1:46 pm
by gm2
I apologize for my novice questions, but you guys have been a great help!

Problem:
I have a section of the website that must be secure. I have a typical PHP login script to access the web pages within this section. Within these pages images are called and displayed, these images are what needs to be secure from outside access.

The problem is, that while the PHP login keeps those pages from being displayed without a password, it does not not prevent the images from loading if the URL for said image is directly input into the browser.

I have set up a .htaccess file for the directory, and it stops linking from other sites, but not direct linking. It also prevents access to any sort of directory view. Given that the names of the images are a very long string of generated characters, is this reasonably secure? The people viewing through passworded access I have no problem with direct linking to images, it's outsiders that I want to avoid.

Re: Appropriate Directory Security?

Posted: Wed Dec 22, 2010 3:12 pm
by Christopher
You could use HTTP access control or move your images outside of the public directory and access them through a PHP script (that does the access control)

Re: Appropriate Directory Security?

Posted: Wed Dec 22, 2010 3:53 pm
by gm2
all of this is on a shared hosting account, so I don't believe I can do what I think you are saying.

Re: Appropriate Directory Security?

Posted: Wed Dec 22, 2010 6:47 pm
by Christopher
You can do both of those on shared hosting.

Re: Appropriate Directory Security?

Posted: Thu Dec 23, 2010 2:36 pm
by Bind
.htaccess

Code: Select all

deny from all
will protect the directory.

then authenticate the users for the proper permissions

then call the following function (or one similar to it), plugging in the path to the image dir or sub-dir and image filename to output the image stream to the browser:

Code: Select all

<?php
function StreamImage($path,$image)
    {
        $the_image = $path.$image;
         if (substr($image, -4) == ".png")
             {
                 header("Content-type: image/png");
                 $im = imagecreatefrompng($the_image);
                 imagepng($im);
             }
         else if (substr($image, -4) == ".gif")
             {
                 header("Content-type: image/gif");
                 $im = imagecreatefromgif($the_image);
                 imagegif($im);
             }
         else if (substr($image, -4) == ".jpg")
             {
                 header("Content-type: image/jpeg");
                 $im = imagecreatefromjpeg($the_image);
                 imagejpeg($im);
             }
        imagedestroy($im);
    }
?>

Re: Appropriate Directory Security?

Posted: Thu Dec 23, 2010 5:16 pm
by Christopher
Simpler would be to just set the MIME type and then use a function like passthru() to dump the image data to the browser.