How to protect against direct access to images?

Question

I would like to create a web site with many images. But I would like to protect against direct access to images, e.g. direct links to images without visiting the web site.

What is the preferred way to do this? And what are the alternatives with Pros and cons?

I have some ideas (I don't know if they are possible):

• File permissions
• PHP Sessions
• Temporary file names or URLs
• HTTP Redirection?

Maybe this isn't practiced on many web sites? E.g. I tried to access a private photo on Facebook without beeing logged in, but I could still visit the photo.

The platform will probably be a Ubuntu machine with NginX and PHP.

Answer 1

http://us3.php.net/image

You link the img element to a php file. This file checks if the user has the right permission, if so it can send an img response back.

<img src="url/LoadImg.php?id=1337" alt="" /> 

Still someone with the permission can download the image and provide it to other people somewhere else (webspace/mail/whatever). To make it a bit harder to steal it you can disable right clicking on the image, but still a user who knows a little bit about http should not have any problems to steal it. You can place a signature over the image (for example the logo/name of your website) so people can see that you where the source. This can be done with php aswell.

If you want to be funy you can setup an other image that is sent if the link comes from an other page :P

Answer 2

Add a simple .htaccess file in your site folder with the follwoing lines

RewriteEngine on RewriteCond %{HTTP_REFERER} !^http://www\.your-domain\.com/.*$ [NC] RewriteCond %{HTTP_REFERER} !^http://www\.your-domain\.com$ [NC] RewriteRule .*\.(wav|swf|jpg|jpeg|gif|png|bmp|js|css)$ - [F,NC,L] 

Note I added also js and css file even if I think it's bizzare to find someone who attempts to scrape them.