Restrict file access to authorized php users

Question

I\'ve inherited an application with a glaring security hole.

It has session-based security, but file uploads (which are user specific) are not secured in any way an

Answer 1

I think you may need to write a script that will serve the images, then use htaccess to completely restrict access to the actual images from a browser.

The script can take in the web path to the image, decide if the user has access, then use something like fpassthru to feed an actual image to the browser.

All references to the images would need to be modified, however, to reference the serving script.

So instead of accessing the images with /images/123/5423453245.jpg, it would be /image.php?images/123/5423453245.jpg

Or something similar to that.