4 replies to this topic

[elle]

Hi,
I need some help/ideas with this : I'm using session for user's authorization and need to access "private" image data or access to some directory for authorized user only. My question is how to protect images (image file or directory) with session (I mean no HTTP basic authentication scheme is allowed) ?

I've tried something like this, but it doesn't work properly probably due to the directory rights.

<?php

function LoadJpeg($imgname)
{
    $im = @imagecreatefromjpeg($imgname);
    if (!$im) { /* See if it failed */

        /* Output an errmsg */

    }
    return $im;
}

/* if (user logged in) */

header("Content-Type: image/jpeg");
$img = LoadJpeg("private/image.jpg");
imagejpeg($img);

?> 

Some ideas how it's done would be appreciated.
TIA

[Crane]

And the code above doesn't work? If the user is logged in allow them to access it. If not redirect them. Seems like a solid plan.

[elle]

Actually the code above is really correct. Some modification can be still applied I mean replace creatimage function with some direct stream read function (avoiding of compression) but this still doesn't solve the image protection in the directory. The solution is to use .htaccess on it with deny to show images.

That's it.

[John]

I've never used the deny feature in .htaccess. Is that the same method for hotlink protection - if so, can you deny yourself from accessing them?

You could always store your images outside the public_html folder and use GD to generate the images as you need them.

[elle]

Actually I'm using some freeweb hosting and there's no way how to access directory out of the web root. So .htaccess works pretty well for me now.

I'm using this one inside the image folder:

<FilesMatch "\.(jp?g)$">
   order deny,allow
   deny from all
</FilesMatch>

For reading image data from php is used fpassthru() function or something like that. Now I can decide who's authorized via session and provide the image.

elle