Restrict access to images on my website except through my own htmls

Question

On my website I store user pictures in a simple manner such as: \"image/user_1.jpg\".

I don\'t want visitors to be able to view images on my server just by trying us

Answer 1

Method #1 is not viable as it will ask for user name and password on each and every image requested. You probably got the prompt for some of the images and not for others due to caching issues.

Method #2 looks the most appealing to me by being the least processor intensive, but with only the user_id passed through the md5 function the file name still quite easily guessable. You should go for md5('my secret string'.$user_id) for a better solution.

Why are you picking #3 via Perl or Python? What's wrong with PHP's speed? Indeed if you're protecting your images this way you should go to the extra length of moving them out and above your webroot so they're only accessible via your script which first checks if the user is authenticated and then passes the avatar by reading it and outputting it. Alternatively, you could protect the directory with an htaccess file saying deny from all.

Plus you should go for a HTTP_REFERER security either via PHP or via .htaccess.

Good luck!