Allow only my domain to serve images from my server

Question

I know there are answered questions closely related to this one, but even after thorough research I have not found a solution that is applicable to my problem.

The problem is as follows: I have a file system that allows my users to upload a profile picture, and in the future an entire private gallery. I want to be able to, from one of my own pages, be able to fetch those profile pictures, say in the chatbox by simply adding <img src="http://example.org/usercontent/[FOLDERID]/profilepicture.png" />. At the same time I want to prevent people from entering http://example.org/usercontent/[FOLDERID]/profilepicture.png in their URL bar and just view the picure directly, because these pictures are supposed to only be visible to logged on users. Is this possible? I have tried things like <IfModule mod_rewrite.c> RewriteEngine on RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http://(www\.)?example\.org/.*$ [NC] RewriteRule .(gif|jpg|png|jpeg)$ [R,NC,L] </ifModule> in my .htaccess file, but this results in all my images being blocked, even when I try <img src="http://example.org/usercontent/[FOLDERID]/profilepicture.png" />, which should just display the image, given that the image tag is written on one of my own pages.

Answer 1

I want to prevent people from entering http://example.org/usercontent/[FOLDERID]/profilepicture.png in their URL bar and just view the picure directly, because these pictures are supposed to only be visible to logged on users

You'll have to write a script that checks the user is logged in and returns the image file if so, eg using readfile() and suitable type and cache headers, or possibly mod_sendfile.

Referrer checking is neither secure nor reliable; it is not a workable authentication mechanism.