Image display permissions in PHP/Apache

Question

I have a PHP site with a login system, and am trying to make a feature where only specific usernames can view particular images. I think what I'm trying to do is more involved than merely changing the .htaccess file, because a) this won't help discern between users that are/aren't allowed to view the image, and b) if someone enters the exact URL of the image ("directory/images/photos/230ru0q0238rn230nd_asdi0nqn8.jpg") they can still view the image (since it's a physical file in the directory, and not text in a DB, etc.). Again, restricting via .htaccess would restrict the directory as a whole, or all files in it, so I can't figure out how it would work. Ideally, all images would be blocked by trying to access them directly through their direct URL, and the image would only appear between <img> tags if the user's session/username is valid, else they get an error message.

I've heard the term ACL but I'm not sure this is related to what I'm trying to do.

Answer 1

The Authorization and ACL scheme can vary, but to accomplish the basic goal of your question:

• Put the images in a non-web accessible directory that PHP can sill read.
• Use .htaccess to rewrite all requests to a script (this may eliminate the preceding step, assuming it denies any direct access to the files).
• Confirm that the requesting user can view the requested image.
• Use readfile() (or a variety of other functions) to output the image.

Answer 2

What you can do is create a simple context which outputs an image as a stream. The image which is output depends on the id (or some identifier) e.g.:

viewImages.php?imageId=234643

viewImages.php checks if the user is logged/authorised in (via $_SESSION most likely), and if so, it sends the image to the browser possibly using readfile.