1

As a photographer, I have my own website with a portfolio and such. I also have a log-in system for users, where I give them access to their own private images (it displays all images placed inside a specific folder - I do this manually for each user).

When a user logs in and sees his private images, he'll notice the URL says the following (when he downloads it/clicks it/etc): www.mywebsite.com/FOLDER_NAME/IMG_123.jpg

By simply doing a bit of guessing, he'll be able to find other users private images. Of course this is defeats the purpose of having private images on my website, so I have to find a way around that.

At the moment, the user can only see his private images if his user_email (unique) matches userRow:

if ($userRow['user_email'] == "email@hotmail.com")

I'm not so sure what to search for. Restrict access to images wasn't a successful search query for me.

What can I do? I guess an option would be to call the folders something random, such as: "Charles661846Xkdfdsnf34590u". That will be hard to guess, but I'm not so sure about security (as in if there are other ways to get access to the root?).

I have taken a look at Deny direct access to all .php files except index.php but that is not what I want exactly.

What can I do in this case?

I've programmed my site in php,html and a bit javascript.

Community
  • 1
  • 1
Charles
  • 151
  • 2
  • 13

2 Answers2

3

If you need to restrict access to files only to a logged-in user, you should move all files from the web-root and put them in a place where you cannot access them directly through the web-server.

Then you serve the files after the user is authenticated through php. See for example the first example on the readfile() page of the php manual.

So when a user logs in, you store for example the user ID in a session variable and on top of the file-serving script you check if the id is correct / allowed access to that specific file.

jeroen
  • 91,079
  • 21
  • 114
  • 132
1

Further to what Jeroen has said, you're on the right track in identifying that the folder name could be the weak point, and that it should be difficult/impossible to guess. There is no need to name folders after users; you can create a random 8, 12 or 16-char alphanumerical string and store that in the userRow as, perhaps, $userRow['folder_name'].

You can also put all user folders under a structure like http://example.com/storage/A97LD34B2 and ensure that the storage folder has an .htaccess file with:

Options All -Indexes

That's all you need in that text-only file. This, of course, assumes you have an Apache web server (by far the most common, especially for shared hosting accounts.) This file would prevent Mr Snoopy from navigating to http://example.com/storage and seeing a list of files.

Here are two S.O. questions that outline how to construct a password-protected members-only system:

Login into a website and get html from a page

PHP - Secure member-only pages with a login system

Note that each folder would contain an index.php file that would serve up files as jeroen described.

Community
  • 1
  • 1
cssyphus
  • 37,875
  • 18
  • 96
  • 111