I've got my site set up so that you can't see the contents of folders, and you need to log in with a username and password. Some confidential info is contained in jpegs of charts. I'm curious if it is possible to secure these images so that they can only be viewed by someone who is logged in. Of course, the only way to see them, is to know the precise URL for them, and it is unlikely anyone who has no login access could do so. But I have a feeling there might be more I could do. I have enabled hot link protection, but it appears that if i just type the correct URL in my web browser, I can still see the image. What is the correct way to handle this? Thanks in advance to all for any info.
Here is the plan: 1. Place your confidential images in some folder. For example /conf_images 2. Deny the access to this folder from the web. Create in it an .htaccess file like this: Deny from All Code (markup): 3. Configure mod_rewrite to call the getimage.php script when some image is requested. Place a code like this into the .htaccess file of your website root: RewriteEngine on RewriteRule ^http://yoursite.com/images/(.*)$ getimage.php?q=$1 Code (markup): 4. Create the getimage.php script that will check the login cookie and return the image from the /conf_images folder, if login info was correct. if ($LoggedIn) { $FileName = $_GET['q']; $Content = file_get_contents('/home/www/conf_images/'.$FileName); header("Content-Type: image/jpeg'); header("Content-Length: '.strlen($Content)); echo $Content; exit; } PHP:
Also if you are concerned about someone capturing network traffic and replaying the session to impersonate an authenticated user, consider using SSL on your web server so all of your connections use HTTPS instead of HTTP. This attack is called sidejacking and has become a lot easier to exploit because of recently released Firefox plugins. Good luck.
One of the great features of an ASP.NET application is the ability to use Forms-based authentication which allows for easy implementation of custom security. In a nutshell, if a user tries to access any page in the application, the system will make sure they are authenticated and if they are not, then they will be redirected to a login page. The problem however is that, this is not the case for images.