如何防止用户通过URL查看图像？

Question

Imagine I have an image file secretImage.png on my Webspace and I want several users to have the right to access this image on index.php . This can easily be done:

// index.php
if($userIsAllowed) echo '<img src="secretImage.png" />';

The problem is, users could theoretically still access the image by browsing directly to www.myDomain.com/secretImage.png . Is there any way to prevent them from doing so, so that the image can only be viewed inside index.php ?

Answer 1

You can use htaccess to route all requests for a specific folder through a .php file. In the file, you can determine whether user can see the file or not... if so, deliver the correct headers and the image. If not, show whatever you want (404, placeholder image).

Answer 2

The HTTP call GET /secretImage.png should itself require authentication. For example, you could use basic authenication and have the user send a Authorization: {base64 user:password} header.

Answer 3

Serve your images from a php file via fpassthru where you check that the user is allowed

So for example, you might have a php file, getimage.php, that accepts a querystring like "?image=mysecretimage.png" and if the user is allowed, it passes it through. If you go this route, be careful to take appropriate precautions that only your image files are passed through.

Answer 4

User-specific URLs can be guarded through HTTP authentication. There are examples online, and it is entirely possible through some .htaccess fiddling that you tailor this method to all of your existing images.