0

I'd like to protect the images (for example, private photo gallery) with a users log-in. I don't use htaccess (because of usability: you cannot log out, design is shitty, ...) but instead a php/db login + session for authentication. This works well for my own PHP scripts.

However, the photos are note protected if you enter the specific URL (as they would be with htaccess authentication).

The question is: [how] can the photos/images be protected in the same way? It would be perfect to have a rule like "for all images, call 'session.php' first".

Note: I cannot deliver all images via a PHP script (like getimage.php?img=photo123.jpg) because I also use external scripts for the photo gallery, blog etc.

Note 2: One option would be a referral check in htaccess, however there are cases where no referer is sent and the photo should still be shown (because the user authenticated correctly).

classification_guy
  • 1
  • What exactly is up with your first *Note*? What external scripts are you talking about and how do they impact your ability to use PHP scripts to serve the files? Are the images hosted *externally* and that server isn't requiring authentication? Then there isn't a lot you can do to protect them. You could still serve them through a PHP script on your server as a reverse-proxy, but they'll still be publicly available directly on that other server. – deceze Apr 14 '20 at 11:47
  • Thanks for the quick answer. What I meant was that I cannot *change* some PHP files and how images are included. For example I cannot change "img/photo.jpg" to "get.php?f=img/photo.jpg" in all scripts. – classification_guy Apr 14 '20 at 12:01
  • You don't have to, you just need to configure your server to route requests for `img/photo.jpg` through a PHP file. This can be done with .htaccess rules: https://stackoverflow.com/a/20563773/476 – deceze Apr 14 '20 at 12:25

0 Answers0