How to deny access to images uploaded by other user?

Question

In a web application to transform images I want to deny direct access to other user's images and I've achieve it adding this code at my main .htaccess file:

RewriteCond %{HTTP_COOKIE} !PHPSESSID=(.+) [OR,NC]
RewriteCond %{HTTP_COOKIE}:%{REQUEST_URI} ^PHPSESSID=(.*?);:(?!.*?/usuarios/\1).* [NC]
RewriteRule ^.*?/usuarios/.+?\.(gif|jpe?g|png|wbmp)$ - [R=403,L]

So, as users have their own folder to upload and transform images, this rule will check if you are looking for an image which directory matches with your id_session, and will throw a 403 response if it doesn't match.

It seems to work fine, but if any user attach an image and change the scr with other user's image (assuming he knows the path), it is showing that image.

How could I prevent it?

You can check at http://itransformer.es

Answer 1

As says @David Houde, such logic should be implemented in the application, for instance in the following way:

1. The images uploaded by your users will be stored outside of the web site root directory, so they cannot be accessed directly using a URL,

2. You need to setup your website to handle virtual URLs (the most simple here being a rewrite rule internally passing the request URL as parameter to some PHP (or whatever) script),

3. Then, in your script you will have full latitude to check whether the request match your policy,

4. And if the request is legitimate, your script will be able to open the requested image file and send its content as web server answer.