Apache directory and security for the images

Question

Basically, all the files within the Apache directory are not accessible, except for the images. The images should be accessible but only if loaded trough the website. If I set the Apache rule based on the referer is very easy to by pass: http://www.mustap.com/phpzone_post_62_how-to-bypass-the-referer-se Of course it's not the right choice.

My Apache conf file:

<Directory /var/www/path>
    Order allow,deny
    Deny from all
    Options -Indexes
    # Check against the referer, first level check
    SetEnvIf Referer domain1\.com domain1
    SetEnvIf Referer domain1\.com domain2
    <FilesMatch \.(jpg|jpeg|gif|png)$>
        Order deny,allow
        Deny from all
        Allow from env=domain1
        Allow from env=domain2
    </FilesMatch>
</Directory>

How can I solve this without putting the images in a DB?

Thanks

Answer 1

One way to know for sure is to run all your images through a PHP script which uses something like readfile() to check the requested image and then output it.

For example: site.com/image.php?name=logo.jpg

The script could check if the user has a session on your site, if they don't then it means they are requesting the image without viewing the site first (unless cookies are disabled).

This is going to increase load time though so you have to consider the cost/benefit of implementing.